A sophisticated malware campaign distributing the Grandoreiro banking trojan has been targeting users in Mexico, Argentina, and Spain through elaborate phishing emails impersonating tax agencies.
The attack leverages a multi-stage infection chain that begins with fraudulent government notifications claiming recipients face substantial tax penalties, creating urgency that compels victims to interact with malicious links embedded in these communications.
The campaign employs an intricate infrastructure that utilizes virtual private servers (VPS) hosted on Contabo’s network, demonstrating threat actors’ growing preference for legitimate hosting services to evade detection.
.png
)
The attackers specifically leverage subdomains under contaboserver.net, such as vmi2500240.contaboserver.net, which are linked to specific virtual machines.
This approach provides attackers with a veneer of legitimacy while enabling them to rapidly shift infrastructure as domains are flagged by security solutions.
When victims click on links in these phishing emails, they are redirected to these geofenced Contabo-hosted URLs that display a fake tax document portal.
The page contains a “Download PDF” button that, when clicked, initiates a chain of redirects ultimately leading to the download of a password-protected ZIP file from Mediafire, a legitimate file-sharing service.
This technique of using multiple legitimate services in the attack chain significantly complicates detection efforts.
Forcepoint researchers identified that these attackers frequently change subdomains under contaboserver.net for each campaign, making it difficult for security solutions to keep pace with blocking efforts.
The researchers noted the attackers’ sophisticated use of geofencing techniques to target specific regions while avoiding security researcher environments.
Infection Mechanism Analysis
The infection process begins when victims extract the password-protected ZIP file (password: 2025) containing a heavily obfuscated Visual Basic Script.
This VBS file contains significant amounts of intentional noise, with periods and other unwanted characters used to obscure its true functionality.
Within the script is an embedded base64-encoded payload segmented into multiple chunks.
.webp)
mdanvtBPzcJrzVhDFrqf5="2bQ5jY+g7j/hPYqSWSISCZAHf/uE2exxvDhADy+eRpbC9mEyEcJc8zRc6xlNkh/CGuWgB7jD7PYH9bWPjEKyVA7b763DFQrtpxW5JsZrI3nauYrOp42x
mdanvtBPzcJrzVhDFrqf3="0hWpMee4AT6Ew/KV012S0knu283snE9ckrkJQMRbZFDU80+hhijt9MSWJxiBkK30R08vNqAJ8nauvhaymiPTFrXP4KT09F4a5xitt1WjV+EJ07A+1cAPWhen executed, the script concatenates these fragments and decodes them to extract another ZIP file, which it drops in the Public user directory.
This ZIP contains a Delphi-compiled executable disguised with PDF icons that displays a fake Adobe Reader error message when run.
.webp)
This social engineering tactic convinces users they’re dealing with a legitimate document issue while the malware silently establishes persistence.
The executable, claiming to be from “ByteCore Technologies 706092 Inc.” according to its version information, connects to command-and-control servers using unusual port configurations (such as 42195).
The malware specifically targets financial information, scanning for Bitcoin wallet directories and collecting system information through registry queries like “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NIs\Sorting\Versions” to determine language settings and machine identifiers.
The Grandoreiro trojan’s multi-layered obfuscation techniques and use of legitimate infrastructure highlight how modern threat actors continue to evolve their tactics to bypass security controls.
Organizations must implement multi-layered defenses that can detect such threats across the attack chain, from initial phishing attempts through to payload execution and command-and-control communications.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
