{ "id": "e34d53be-ab57-42b1-8282-02a1d2e8230b", "created_at": "2026-04-06T02:13:06.428751Z", "updated_at": "2026-04-10T03:30:57.237184Z", "deleted_at": null, "sha1_hash": "30160cfed2e3865b2bc8874f05ab0c56742b2b7d", "title": "Grandoreiro malware now targeting banks in Spain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5086195, "plain_text": "Grandoreiro malware now targeting banks in Spain\r\nBy Dani Abramov, Limor Kessem\r\nPublished: 2020-04-13 · Archived: 2026-04-06 02:08:10 UTC\r\nAuthor\r\nDani Abramov\r\nThreat Researcher\r\nIBM\r\nLimor Kessem\r\nX-Force Cyber Crisis Management Global Lead\r\nIBM\r\nDuring the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects\r\nbank customers in Brazil has spread to attack banks in Spain. The rise in campaigns prompted us to look into it\r\nfurther.\r\nGrandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving\r\nthat attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or\r\nhave themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in\r\nunderground and dark web markets.\r\nA recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed\r\nexecutable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts.\r\nThe remote-overlay malware trend is highly prolific across Latin America. While it began trending in Brazil circa\r\n2014, this simple malware attack continues to gain popularity among local cybercriminals and is considered the\r\ntop financial malware threat in the region.\r\nThere is a large variety of remote-overlay malware codes active in the wild, each featuring similar code with a\r\nmodified deployment process and infection mechanism.\r\nUsers become infected via malspam, phishing pages or malicious attachments. Once installed on a target device,\r\nthe malware goes into action upon access to a hardcoded list of entities, mostly local banks.\r\nOnce the user enters the targeted website, the attacker is notified and can take over the device remotely. As the\r\nvictim accesses their online banking account, the attacker can display full-screen overlay images (hence the name\r\n“remote overlay”) designed to appear like they are part of the bank’s website. These pages can either block the\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 1 of 9\n\nvictim’s access to the site, allowing the attacker to move money after initial authentication, or include additional\r\ndata fields that the user is prompted to fill out.\r\nIn the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages\r\nthe victim’s presence in real time to obtain any required information to complete it.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nX-Force researchers who analyzed recent Grandoreiro attacks note the following observations:\r\nThe malware is typically spread via malspam campaigns containing a URL that directs recipients to an\r\ninfection zone.\r\nThe first stage of infection is a loader component. Our team located a number of loaders used by\r\nGrandoreiro attackers masked as invoice files with a .msi extension and placed into an easily accessible\r\nGitHub repository.\r\nThe second stage of the infection fetches the Grandoreiro payload via a hardcoded URL within the loader’s\r\ncode.\r\nGrandoreiro is executed and infects the device.\r\nThe Grandoreiro executable is initially a standalone dropper without additional modules. After its execution, it\r\nwrites a run key based on the location where it was executed.\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 2 of 9\n\nFigure 1: Grandoreiro run key\r\nSome sample images from Grandoreiro attacks show that it informs victims they need to install a supposed\r\nsecurity application.\r\nGrandoreiro’s bot communication with its command-and-control (C\u0026C) server is encrypted and transmitted over\r\nSSL protocol. As an operational security feature on the attacker’s side, the infected device’s set date has to match\r\nwith a recent campaign date in order to successfully connect to the C\u0026C server. This is verified by an algorithm\r\nthat would otherwise direct the communication to localhost as shown in the image below.\r\nFigure 2: Grandoreiro bot communication pattern via HTTP POST request\r\nOnce there is a match with the communication algorithm, communication packages will be sent and receive info\r\nthrough sites.google.com/view/. This is only part of the URL, and it is hardcoded into the malicious code. To\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 3 of 9\n\ncomplete the URL path, information on the infected device needs to match with the attacker’s communication\r\nalgorithm, which generates the second part of the path. For example:\r\nhxxps://sites.google[.]com/view/brezasq12xwuy\r\nOnce the connection is established, the malware will likely use it to send notifications to the attacker when a\r\nvictim accesses a banking site. Machine information, clipboard data and remote-access capabilities are also\r\nfacilitated via the C\u0026C.\r\nAfter execution, the sample runs for about six minutes, at which point the machine will abruptly reboot. A few\r\nminutes after the boot, the malware writes a compressed archive file named ext.zip from which it will extract\r\nadditional files, placing them into a directory under C:/%user%/*extension folder*/*.\r\nThe extracted files are modified versions of an existing, legitimate Google Chrome browser extension called Edit\r\nThis Cookie.\r\nIn the next step, the dropper writes a new chrome .lnk or Windows OS shortcut file extension file or replaces the\r\noriginal if one already exists.\r\nThe new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon\r\nstarting the browser.\r\nFigure 3: Fake browser extension created by Grandoreiro\r\nHere is an example of a target path from our analysis:\r\n“C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe” –load-extension=”%userprofile%\\F162FD4091BD6D9759E60C3″\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 4 of 9\n\nIf Chrome was already open before the infection started unfolding, the malware will force closure of\r\nall chrome.exe threads to kill the process. This will also force the victim to re-open the browser using the newly\r\nwritten .lnk file, which is now loaded with Grandoreiro’s malicious extension. This extension will load on every\r\nbrowser startup using this specific .lnk file.\r\nNote that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start\r\nand run it normally without the malicious extension, canceling out the malware’s ability to control what the victim\r\ndoes.\r\nSince this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it\r\n“Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie”\r\nbutton on the original plugin.\r\nFigure 4: Fake browser extension created by Grandoreiro — fake button\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 5 of 9\n\nThis extension will also ask the user for various permissions:\r\nReading your browsing history\r\nDisplaying notifications\r\nModifying data you copy and paste\r\nActual in-code permissions:\r\n“tabs”\r\n“activeTab”\r\n“webNavigation”\r\n“all_urls”\r\n“cookies”\r\n“contextMenus”\r\n“unlimitedStorage”\r\n“notifications”\r\n“storage”\r\n“clipboardWrite”\r\n“browser”\r\n“webRequest”\r\n“webRequestBlocking”\r\n“\u003call_urls\u003e”\r\nAfter the extension is deployed and installed, the dropper writes three additional files under %appdata%/local/*/:\r\nEXT.dat\r\nRB.dat\r\nEML.dat\r\nThe malware runs a watchdog on the EXT.dat file and will re-write it after any removal attempt.\r\nUsing the modified extension, the attacker can collect user information from cookies. Some of the collected\r\ninformation includes the following fields:\r\n“url”\r\n“tabid”\r\n“PASSANDO PARAMETRO”\r\n“cookie”\r\n“name”\r\n“domain”\r\n“value”\r\n“expired”\r\n“FormData”\r\n“WEBMAIL”\r\n“LoginForm[password]”\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 6 of 9\n\n“CHECKBOX_TROCA_SENHA”\r\n“ccnumber”\r\nWe suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to\r\nride the victim’s active session. With this method, the attacker won’t need to continue controlling the victim’s\r\nmachine.\r\nNote that some of the strings in the collected data remain written in Portuguese. Another tidbit that connects\r\nGrandoreiro variants to Brazil is the “default_locale” setting within the malicious browser extension code that is\r\nset to “pt_BR” (likely meaning Portuguese_Brazil).\r\nFigure 5: Grandoreiro — Brazilian origins\r\nOnce active on the infected device, Grandoreiro waits in the background for the victim to take an action that will\r\ntrigger it, such as browsing to a targeted bank’s website. That’s when the attack would invoke the remote-access\r\nfeature of the malware and engage with the victim in real time by launching malicious images on their screen to\r\ntrick them into keeping the session alive and providing information that can help the attacker.\r\nThe images are premade to look like the targeted bank’s interface, and the attacker can launch them in real time.\r\nAfter discovering Grandoreiro attacks in Spain, our team looked into the code for modifications. We established\r\nthat the source codes are 80–90 percent identical. It stands to reason that the attackers deploying Grandoreiro in\r\nSpain have some tie to those operating it in Brazil.\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 7 of 9\n\nFigure 6: Grandoreiro versions in Spain and Brazil are 80–90 percent similar\r\nBanking Trojans are a popular tool among various attackers around the globe who use them to rob the bank\r\naccounts of unsuspecting victims by infecting the devices they bank from.\r\nIn the global arena, sophisticated, modular banking Trojans like TrickBot and IcedID, operated by organized\r\ncybercrime gangs, are what we usually find being used against large banks in various countries. But that stands in\r\nstark contrast to what we continue to see in the LATAM region and wherever else the language barrier can enable\r\nthe same cybercriminals to operate, namely Spanish/Portuguese-speaking countries outside of LATAM.\r\nNotoriously simplistic malware codes reign supreme in these regions, allowing almost any level of attacker to\r\naccess and use them against consumers and businesses alike. While relatively simple, its power lies in the\r\nattacker’s ability to take over devices and trick the victim in real time within the context of their normal online\r\nbanking activities.\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 8 of 9\n\nIBM X-Force research continues to monitor these threats and keep our readers up to date on how they evolve. To\r\nread more from our teams, check out our Security Intelligence blogs, and join us on X-Force Exchange for timely\r\nindicators of compromise (IoCs) and threat intel on emerging attacks.\r\nSource: https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nhttps://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" ], "report_names": [ "grandoreiro-malware-now-targeting-banks-in-spain" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441586, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30160cfed2e3865b2bc8874f05ab0c56742b2b7d.pdf", "text": "https://archive.orkl.eu/30160cfed2e3865b2bc8874f05ab0c56742b2b7d.txt", "img": "https://archive.orkl.eu/30160cfed2e3865b2bc8874f05ab0c56742b2b7d.jpg" } }