Full Report
Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That's according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The
Analysis Summary
Based on the article provided, here is the summary of the Grandoreiro and BTMOB malware families.
# Tool/Technique: Grandoreiro
## Overview
Grandoreiro is a mature, Delphi-based banking trojan active since 2016. Its primary purpose is to steal financial credentials and facilitate unauthorized transactions by targeting users of thousands of financial institutions worldwide. The latest campaigns focus on Spain, Portugal, and Mexico.
## Technical Details
- **Type:** Malware family (Banking Trojan)
- **Platform:** Windows
- **Capabilities:** Credential theft, DLL side-loading, anti-analysis, P2P communication, and overlay attacks.
- **First Seen:** 2016
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment]
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1211 - Exploitation for Defense Evasion (CAPTCHA checks)]
- [T1027 - Obfuscated Files or Information]
- **[TA0011 - Command and Control]**
- [T1095 - Non-Application Layer Protocol (STUN/ICE)]
- [T1102 - Web Service]
## Functionality
### Core Capabilities
- **Information Theft:** Steals credentials for banks and fintech services (e.g., Santander, Revolut, Wise).
- **Execution:** Uses Visual Basic Scripts (VBS) to launch executables disguised as software updates (Adobe Reader).
- **DLL Side-Loading:** Abuses legitimate applications to load malicious Delphi 11 DLLs (`mingwm10.dll`, `libwebp.dll`, `libffi-6.dll`, `libpng15.dll`).
### Advanced Features
- **P2P Communication:** Incorporates the `sgcWebSockets` library to establish peer-to-peer connections.
- **Protocol Abuse:** Utilizes STUN (Session Traversal Utilities for NAT) and ICE (Interactive Connectivity Establishment) to bypass NAT and blend into "noisy" web-conferencing traffic (WebRTC).
- **Anti-Analysis:** Implements CAPTCHA checks and detection evasion triggers to complicate sandbox analysis.
---
# Tool/Technique: BTMOB
## Overview
BTMOB is an Android-based Remote Access Trojan (RAT) that emerged in early 2025. It is designed for high-level mobile device compromise, focusing on credential theft through automated overlays and full remote control of the infected device.
## Technical Details
- **Type:** Malware family (Android RAT / Mobile Banking Trojan)
- **Platform:** Android
- **Capabilities:** Keylogging, screen capture, accessibility service abuse, and remote control.
- **First Seen:** February 2025
## MITRE ATT&CK Mapping
- **[TA0030 - Persistence (Mobile)]**
- [T1624.001 - Event Triggered Execution: Accessibility Service]
- **[TA0031 - Privilege Escalation (Mobile)]**
- [T1433 - Access Accessibility Service]
- **[TA0037 - Command and Control (Mobile)]**
- [T1437.001 - Standard Application Layer Protocol]
- **[TA0035 - Collection (Mobile)]**
- [T1417.001 - Input Capture: Keylogging]
- [T1513 - Screen Capture]
## Functionality
### Core Capabilities
- **Credential Theft:** Uses HTML injection/overlays to steal usernames and passwords when specific banking apps are opened.
- **Surveillance:** Capable of capturing screenshots and logging keystrokes.
- **Device Interaction:** Can unlock devices and perform automated actions via Accessibility Services.
### Advanced Features
- **Remote Control:** Provides a full suite of RAT tools for operators to control the device in real-time.
- **Campaign Management:** Part of a sophisticated distribution model (ALBIRIOX) providing ready-made campaign tools for threat actors.
---
## Indicators of Compromise (Grandoreiro)
*Note: Indicators for BTMOB were truncated in the source text.*
- **File Names:** `mingwm10.dll`, `libwebp.dll`, `libffi-6.dll`, `libpng15.dll`.
- **Network Indicators:** (Defanged)
- Traffic utilizing STUN/ICE protocols to evade monitoring.
- Distribution via `mediafire[.]com`.
- **Behavioral Indicators:**
- Legitimate signed executables loading unsigned Delphi DLLs.
- Spawning Visual Basic Scripts from ZIP archives.
- Browser-style CAPTCHA prompts appearing outside of a web browser during infection.
## Associated Threat Actors
- **Grandoreiro Groups:** Unnamed financially motivated actors typically operating out of Brazil/LATAM.
## Detection & Mitigation
### Detection Methods
- **Behavioral:** Monitor for DLL side-loading in common software folders and unusual STUN/ICE traffic originating from non-conferencing applications.
- **Signature-based:** Standard AV/EDR detection for Delphi-based banking components.
### Mitigation Strategies
- **Technical:** Block known file-sharing sites (Mediafire) in corporate environments if not required for business.
- **Hardening:** Implement AppLocker or Windows Defender Application Control (WDAC) to prevent unauthorized DLL loading.
- **Education:** Conduct phishing simulations focusing on "software update" lures and malicious links.