Emerging Threats in Banking Malware Campaigns
Recent investigations by WatchGuard and ESET have highlighted two distinct banking trojan campaigns targeting Windows and Android devices. These attacks focus on distributing the Grandoreiro and BTMOB malware families, with the former concentrating on financial institutions in Spain, Portugal, and Mexico, and the latter aimed at mobile users in Brazil. The campaigns employ advanced techniques, such as phishing emails and sophisticated code injection methods, to expand their reach and evade detection.
Despite intensified law enforcement efforts, including arrests by Brazilian authorities in early 2024, Grandoreiro continues to evolve. The malware has been designed to steal credentials from thousands of financial institutions globally. Its developers have incorporated additional measures, such as CAPTCHA verifications, to hinder cybersecurity analysis and maintain operational resilience.
Exploitation of DLL Sideloading Techniques
The Grandoreiro malware leverages the DLL sideloading technique to execute malicious payloads. This approach manipulates legitimate software by loading compromised DLL files, effectively bypassing standard security measures. In this campaign, four distinct software programs targeting Portuguese banks have been exploited to facilitate this method.
Notably, the malware utilizes DLLs developed in Delphi 11, a programming language frequently associated with cyberattacks in the targeted regions. Two of the identified DLLs, mingwm10.dll and libwebp.dll, integrate the sgcWebSockets library, enabling real-time peer-to-peer communications. This feature enhances the malwares capability to interact covertly and maintain its network of compromised systems.
Utilization of Communication Protocols for Evasion
The malware incorporates Session Traversal Utilities for NAT (STUN), a protocol designed to discover public IP addresses and port numbers for devices behind NATs. This functionality supports seamless peer-to-peer communication and allows the malware to exploit noisy web traffic, such as that generated by WebRTC-based web conferencing tools, to obscure its activities.
In addition to STUN, two other DLLs-libffi6.dll and libpng15.dll-employ the Interactive Connectivity Establishment (ICE) protocol. This alternative achieves similar goals but is tailored to specific network configurations, further complicating detection efforts by cybersecurity defenders.
Targeted Financial Institutions and Infrastructure
Grandoreiro's primary targets include prominent financial institutions in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral de Depósitos, and Santander. The malwares developers have designed their campaigns to exploit vulnerabilities specific to these entities, enhancing their ability to harvest sensitive credentials and financial data.
The campaign also highlights an alarming trend of targeting smaller, regional banks and financial institutions, expanding the attack surface and increasing the potential for financial disruption. This underscores the importance of robust cybersecurity measures tailored to the unique risk profiles of these organizations.
Implications for Cybersecurity Strategies
The Grandoreiro and BTMOB campaigns demonstrate the increasing sophistication of banking malware. Their reliance on techniques such as DLL sideloading and real-time communication protocols underscores the need for proactive threat detection strategies. Organizations must adopt advanced security measures, including behavioral analytics and endpoint protection, to counteract these evolving threats.
Moreover, the integration of real-time communication libraries like sgcWebSockets and the use of protocols such as STUN and ICE highlight the need for enhanced monitoring of encrypted traffic. Security teams should prioritize visibility into these communication channels to identify anomalies indicative of malware activity.