The Internet Crime Complaint Center (IC3), an FBI unit specialized in cybercrime, recently reported that it was experiencing a significant increase in complaints from citizens and organizations: They now receive between 3,000 and 4,000 complaints about cyberattacks every day- caused by threats like Grandoreiro-. The average didn’t use to surpass 1,000.

The FBI also agrees that the interest caused by COVID-19 is being exploited by cybercriminals to carry out attacks. What’s more, it stresses that many of the cyberattacks are targeting clients in the financial sector: Federal agencies are especially concerned about a North Korean group known as Hidden Cobra. This group tends to target cryptocurrency transfers but has also been known to target regular banks. However, this is not the only campaign targeting the financial sector that has been cause for concern over the last few weeks.

An old face returns_

IBM’s X-Force Threat Intelligence reported back in April that a well-known piece of malware was being used against clients in at least ten Spanish financial institutions. The malware in question is Grandoreiro, a Trojan that dates back to 2014, and which first appeared in Brazil and Mexico, using remote overlay techniques. Now, however, it has a new trick up its sleeve: It is using COVID-19 as bait. X-Force explains that it works as follows:

  • Cyberattackers use emails containing images or video related to COVID-19 as an attack vector. If the victim opens this email, it contains an URL that leads to a malicious website.
  • Once on the website, the victims are persuaded to download an MSI document from a GitHub repository, which contains the loader that will in turn download the Trojan onto the system.
  • Once Grandoreiro is on the system, it establishes a remote connection with the cyberattackers’ servers, which is then used to send notifications about how the computer is being used and what websites the victim is visiting.
  • Grandoreiro can also download a malicious Google Chrome extension. The extension masquerades as a “Google Plugin version 1.5.0”, which is added to the browser bar, and asks the user for different permissions such as accessing browser history. This allows the cyberattackers to monitor which websites the user visits and steal their cookies.
  • When the user visits their bank’s website, the Trojan sends a notification to the cyberattacker, who can then remotely access the computer. With this remote access, the attacker can send images to the victim’s computer to make it look like they’re really accessing their bank’s website. This way, the user will stay logged in long enough for the attacker to be able to steal their credentials.

Training and advanced protection_

As in other cases that have used social engineering, the main line of defense against Grandoreiro is prevention and user training. In this case it is important to insist that users not open emails or links from unknown senders, even if they supposedly contain interesting information about COVID-19.

Large organizations, where Trojans like Grandoreiro could case huge losses if the victims are financial managers or directors with access to corporate bank accounts, are also now at greater risk because of the fact that the increase in remote work has increased the attack surface. This is why training is even more important now.

However, all of this may still not be enough. To ensure that systems are protected, companies can also use Cytomic EPDR’s advanced protection. It contains a full stack of preventive endpoint technologies, EDR capabilities, and the Zero-Trust Application Service. This detects and responds to any kind of known or unknown malware.

It stops any kind of malware from running on computers, service, virtual environments, and mobile devices. As a result, all computers and systems in the organization will be fully protected, even if users access malicious websites that could contain new cyberthreats.