Grandoreiro Malware Now Targeting Banks in Spain

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>Grandoreiro Malware Now Targeting Banks in Spain</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade">   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">  <script> window._ibmAnalytics = { "settings": { "name": "SecurityIntelligence", "tealiumProfileName": "ibm-subsidiary" }, "digitalData.page.services.google.enabled": true }; window.digitalData = { "page": { "pageInfo": { "effectiveDate": "2020-04-13", "publishDate": "2020-04-13", "ibm": { "siteId": "IBM_" + _ibmAnalytics.settings.name, } }, "category": { "primaryCategory": "PC090" } } }; // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" type="application/rss+xml" title="Security Intelligence » Grandoreiro malware now targeting banks in Spain Comments Feed" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7.1' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.7.1" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/ibm_internals/417983" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://securityintelligence.com/?p=417983' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fgrandoreiro-malware-now-targeting-banks-in-spain%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fgrandoreiro-malware-now-targeting-banks-in-spain%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/plex.css');</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1734627165">   <meta name="description" content="A familiar malware threat called Grandoreiro, a remote-overlay banking Trojan that typically affects bank customers in Brazil, has spread to attack banks in Spain."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Grandoreiro Malware Now Targeting Banks in Spain" /> <meta property="og:description" content="A familiar malware threat called Grandoreiro, a remote-overlay banking Trojan that typically affects bank customers in Brazil, has spread to attack banks in Spain." /> <meta property="og:url" content="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Banking" /> <meta property="article:tag" content="Banking Malware" /> <meta property="article:tag" content="Banking Trojan" /> <meta property="article:tag" content="Command-and-Control (C&C)" /> <meta property="article:tag" content="Cybercrime" /> <meta property="article:tag" content="Cybercriminals" /> <meta property="article:tag" content="Google" /> <meta property="article:tag" content="Google Chrome" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Security Research" /> <meta property="article:tag" content="Trojan" /> <meta property="article:tag" content="X-Force" /> <meta property="article:section" content="X-Force" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="630" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="A familiar malware threat called Grandoreiro, a remote-overlay banking Trojan that typically affects bank customers in Brazil, has spread to attack banks in Spain." /> <meta name="twitter:title" content="Grandoreiro Malware Now Targeting Banks in Spain" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg","width":1200,"height":630,"caption":"A woman uses her laptop for online banking."},{"@type":"WebPage","@id":"https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/#webpage","url":"https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/","name":"Grandoreiro Malware Now Targeting Banks in Spain","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/#primaryimage"},"datePublished":"2020-04-13T12:55:53+00:00","dateModified":"2025-01-23T21:28:05+00:00","description":"A familiar malware threat called Grandoreiro, a remote-overlay banking Trojan that typically affects bank customers in Brazil, has spread to attack banks in Spain."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "Grandoreiro malware now targeting banks in Spain", "mainEntityOfPage": "https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/", "author": { "@type": "Person", "name": "Dani Abramov" }, "datePublished": "2020-04-13T08:55:53-04:00", "dateModified": "2025-01-23T16:28:05-05:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-630x330.jpg" ], "articleBody": "During the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects bank customers in Brazil has spread to attack banks in Spain. The rise in campaigns prompted us to look into it further. Grandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in underground and dark web markets. A recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed executable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts. <h2 class="">The remote-overlay threat in a nutshell</h2> The remote-overlay <a href="https://securityintelligence.com/the-brazilian-malware-landscape-a-dime-a-dozen-and-going-strong/" target="_blank" rel="noopener noreferrer">malware trend</a> is highly prolific across Latin America. While it began trending in Brazil circa 2014, this simple malware attack continues to gain popularity among local cybercriminals and is considered the top financial malware threat in the region. There is a large variety of remote-overlay malware codes active in the wild, each featuring similar code with a modified deployment process and infection mechanism. Users become infected via malspam, phishing pages or malicious attachments. Once installed on a target device, the malware goes into action upon access to a hardcoded list of entities, mostly local banks. Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name "remote overlay") designed to appear like they are part of the bank's website. These pages can either block the victim's access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out. In the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages the victim's presence in real time to obtain any required information to complete it. <h2 class="">Grandoreiro's delivery and infection routine</h2> X-Force researchers who analyzed recent Grandoreiro attacks note the following observations: <ul> <li>The malware is typically spread via malspam campaigns containing a URL that directs recipients to an infection zone.</li> <li>The first stage of infection is a loader component. Our team located a number of loaders used by Grandoreiro attackers masked as invoice files with a .msi extension and placed into an easily accessible GitHub repository.</li> <li>The second stage of the infection fetches the Grandoreiro payload via a hardcoded URL within the loader's code.</li> <li>Grandoreiro is executed and infects the device.</li> </ul> The Grandoreiro executable is initially a standalone dropper without additional modules. After its execution, it writes a run key based on the location where it was executed. <p align="center"><img title="grandoreiro malware analysis" src="https://securityintelligence.com/wp-content/uploads/2020/04/fig2.jpg" alt="IBM Trusteer" /></p> <p class="center"><em>Figure 1: Grandoreiro run key</em></p> Some sample images from Grandoreiro attacks show that it informs victims they need to install a supposed security application. <h2 class="">Bot-C&C communications</h2> Grandoreiro's bot communication with its command-and-control (C&C) server is encrypted and transmitted over SSL protocol. As an operational security feature on the attacker's side, the infected device's set date has to match with a recent campaign date in order to successfully connect to the C&C server. This is verified by an algorithm that would otherwise direct the communication to localhost as shown in the image below. <p class="center"><img style="margin: 8px auto;" title="ibm trusteer" src="https://securityintelligence.com/wp-content/uploads/2020/04/fig5-1.png" alt="Grandoreiro malware analysis" width="627" height="232" /></p> <p class="center"><em>Figure 2: Grandoreiro bot communication pattern via HTTP POST request</em></p> Once there is a match with the communication algorithm, communication packages will be sent and receive info through <em>sites.google.com/view/</em>. This is only part of the URL, and it is hardcoded into the malicious code. To complete the URL path, information on the infected device needs to match with the attacker's communication algorithm, which generates the second part of the path. For example: <p class=""><em><a target="_blank" rel="noopener noreferrer">hxxps://sites.google[.]com/view/brezasq12xwuy</a></em></p> Once the connection is established, the malware will likely use it to send notifications to the attacker when a victim accesses a banking site. Machine information, clipboard data and remote-access capabilities are also facilitated via the C&C. <h2 class="">Setting up a fake browser extension</h2> After execution, the sample runs for about six minutes, at which point the machine will abruptly reboot. A few minutes after the boot, the malware writes a compressed archive file named <em>ext.zip</em> from which it will extract additional files, placing them into a directory under <em>C:/%user%/*extension folder*/*</em>. The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called <a href="http://www.editthiscookie.com" target="_blank" rel="noopener noreferrer">Edit This Cookie</a>. In the next step, the dropper writes a new chrome .lnk or Windows OS shortcut file extension file or replaces the original if one already exists. The new Chrome browser shortcut contains a "—load-extension" parameter to load the new extension upon starting the browser. <p align="center"><img title="grandoreiro malware analysis" src="https://securityintelligence.com/wp-content/uploads/2020/04/fig3-1.png" alt="IBM Trusteer" width="270" height="382" /></p> <p class="center"><em>Figure 3: Fake browser extension created by Grandoreiro</em></p> Here is an example of a target path from our analysis: <em>"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --load-extension="%userprofile%\F162FD4091BD6D9759E60C3"</em> If Chrome was already open before the infection started unfolding, the malware will force closure of all <em>chrome.exe</em> threads to kill the process. This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro's malicious extension. This extension will load on every browser startup using this specific .lnk file. Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware's ability to control what the victim does. Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro's developer named it "Google Plugin" version 1.5.0. Visually, it adds a square button to the browser window instead of the "cookie" button on the original plugin. <p align="center"><img title="grandoreiro malware analysis" src="https://securityintelligence.com/wp-content/uploads/2020/04/fig4-1.png" alt="IBM Trusteer" width="359" height="433" /></p> <p class="center"><em>Figure 4: Fake browser extension created by Grandoreiro — fake button</em></p> This extension will also ask the user for various permissions: <ul> <li class="">Reading your browsing history</li> <li class="">Displaying notifications</li> <li class="">Modifying data you copy and paste</li> </ul> Actual in-code permissions: <ul> <li>"tabs"</li> <li>"activeTab"</li> <li>"webNavigation"</li> <li>"all_urls"</li> <li>"cookies"</li> <li>"contextMenus"</li> <li>"unlimitedStorage"</li> <li>"notifications"</li> <li>"storage"</li> <li>"clipboardWrite"</li> <li>"browser"</li> <li>"webRequest"</li> <li>"webRequestBlocking"</li> <li>"<all_urls>"</li> </ul> After the extension is deployed and installed, the dropper writes three additional files under <em>%appdata%/local/*/</em>: <ul> <li class="">EXT.dat</li> <li class="">RB.dat</li> <li class="">EML.dat</li> </ul> The malware runs a watchdog on the <em>EXT.dat</em> file and will re-write it after any removal attempt. Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields: <ul> <li>"url"</li> <li>"tabid"</li> <li>"PASSANDO PARAMETRO"</li> <li>"cookie"</li> <li>"name"</li> <li>"domain"</li> <li>"value"</li> <li>"expired"</li> <li>"FormData"</li> <li>"WEBMAIL"</li> <li>"LoginForm[password]"</li> <li>"CHECKBOX_TROCA_SENHA"</li> <li>"ccnumber"</li> </ul> We suspect that the malware uses this extension to grab the victim's cookies and use them from another device to ride the victim's active session. With this method, the attacker won't need to continue controlling the victim's machine. Note that some of the strings in the collected data remain written in Portuguese. Another tidbit that connects Grandoreiro variants to Brazil is the "default_locale" setting within the malicious browser extension code that is set to "pt_BR" (likely meaning Portuguese_Brazil). <p align="center"><img title="grandoreiro malware analysis" src="https://securityintelligence.com/wp-content/uploads/2020/04/pt.png" alt="IBM Trusteer" /></p> <p class="center"><em>Figure 5: Grandoreiro — Brazilian origins</em></p> <h2 class="">Victim monitoring</h2> Once active on the infected device, Grandoreiro waits in the background for the victim to take an action that will trigger it, such as browsing to a targeted bank's website. That's when the attack would invoke the remote-access feature of the malware and engage with the victim in real time by launching malicious images on their screen to trick them into keeping the session alive and providing information that can help the attacker. The images are premade to look like the targeted bank's interface, and the attacker can launch them in real time. <h2 class="">Grandoreiro: Brazil and Spain code versions closely related</h2> After discovering Grandoreiro attacks in Spain, our team looked into the code for modifications. We established that the source codes are 80–90 percent identical. It stands to reason that the attackers deploying Grandoreiro in Spain have some tie to those operating it in Brazil. <img title="grandoreiro versions in spain and brazil are 80–90 percent similar" src="https://securityintelligence.com/wp-content/uploads/2020/04/fig12-1.png" alt="Grandoreiro versions in Spain and Brazil are 80–90 percent similar" /> <p class="center"><em>Figure 6: Grandoreiro versions in Spain and Brazil are 80–90 percent similar</em></p> <h2 class="">Simplistic banking malware: If it ain't broke …</h2> Banking Trojans are a popular tool among various attackers around the globe who use them to rob the bank accounts of unsuspecting victims by infecting the devices they bank from. In the global arena, sophisticated, modular banking Trojans like TrickBot and IcedID, operated by organized cybercrime gangs, are what we usually find being used against large banks in various countries. But that stands in stark contrast to what we continue to see in the LATAM region and wherever else the language barrier can enable the same cybercriminals to operate, namely Spanish/Portuguese-speaking countries outside of LATAM. Notoriously simplistic malware codes reign supreme in these regions, allowing almost any level of attacker to access and use them against consumers and businesses alike. While relatively simple, its power lies in the attacker's ability to take over devices and trick the victim in real time within the context of their normal online banking activities. IBM X-Force research continues to monitor these threats and keep our readers up to date on how they evolve. To read more from our teams, check out our <a href="https://securityintelligence.com/category/x-force/" target="_blank" rel="noopener noreferrer">Security Intelligence blogs</a>, and join us on <a href="https://exchange.xforce.ibmcloud.com/" target="_blank" rel="noopener noreferrer">X-Force Exchange</a> for timely indicators of compromise (IoCs) and threat intel on emerging attacks." } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">Grandoreiro malware now targeting banks in Spain</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="A woman uses her laptop for online banking." width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-630x330.jpg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-300x158.jpg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-630x330.jpg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg.webp 2400w"> <amp-img fallback alt="A woman uses her laptop for online banking." width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-630x330.jpg" srcset="https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-300x158.jpg 300w, https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain-630x330.jpg 630w, https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg 1200w, https://securityintelligence.com/wp-content/uploads/2020/04/internal_grandoreiro-malware-now-targeting-banks-in-spain.jpg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">April 13, 2020</span> <span class="author_category">By <a href="https://securityintelligence.com/author/dani-abramov/" >Dani Abramov</a> <span class="author_comma"></span><br>   <a href="https://securityintelligence.com/author/limor-kessem/">Limor Kessem</a> <br> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/x-force/"><span class="name_category">X-Force<br> <a href="https://securityintelligence.com/category/x-force/malware-threat/"><span class="name_other_category">Malware<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=Grandoreiro malware now targeting banks in Spain&url=https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p>During the past few months, IBM X-Force researchers have noticed a familiar malware threat that typically affects bank customers in Brazil has spread to attack banks in Spain. The rise in campaigns prompted us to look into it further.</p> <p>Grandoreiro, a remote-overlay banking Trojan, has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region. Remote-overlay Trojans are easy to find and purchase in underground and dark web markets.</p> <p>A recent campaign delivered Grandoreiro using COVID-19-themed videos to trick users into running a concealed executable, infecting their devices with a remote-access tool (RAT) designed to empty their bank accounts.</p> <h2 class="">The remote-overlay threat in a nutshell</h2> <p>The remote-overlay <a href="https://securityintelligence.com/the-brazilian-malware-landscape-a-dime-a-dozen-and-going-strong/" target="_blank" rel="noopener nofollow" >malware trend</a> is highly prolific across Latin America. While it began trending in Brazil circa 2014, this simple malware attack continues to gain popularity among local cybercriminals and is considered the top financial malware threat in the region.</p> <p>There is a large variety of remote-overlay malware codes active in the wild, each featuring similar code with a modified deployment process and infection mechanism.</p> <p>Users become infected via malspam, phishing pages or malicious attachments. Once installed on a target device, the malware goes into action upon access to a hardcoded list of entities, mostly local banks.</p> <p>Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name “remote overlay”) designed to appear like they are part of the bank’s website. These pages can either block the victim’s access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out.</p> <p>In the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages the victim’s presence in real time to obtain any required information to complete it.</p> <h2 class="">Grandoreiro’s delivery and infection routine</h2> <p>X-Force researchers who analyzed recent Grandoreiro attacks note the following observations:</p> <ul> <li>The malware is typically spread via malspam campaigns containing a URL that directs recipients to an infection zone.</li> <li>The first stage of infection is a loader component. Our team located a number of loaders used by Grandoreiro attackers masked as invoice files with a .msi extension and placed into an easily accessible GitHub repository.</li> <li>The second stage of the infection fetches the Grandoreiro payload via a hardcoded URL within the loader’s code.</li> <li>Grandoreiro is executed and infects the device.</li> </ul> <p>The Grandoreiro executable is initially a standalone dropper without additional modules. After its execution, it writes a run key based on the location where it was executed.</p> <p align="center"><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fig2.jpg" layout="intrinsic" class="" alt="IBM Trusteer" width="418" height="37" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 1: Grandoreiro run key</em></p> <p>Some sample images from Grandoreiro attacks show that it informs victims they need to install a supposed security application.</p> <h2 class="">Bot-C&C communications</h2> <p>Grandoreiro’s bot communication with its command-and-control (C&C) server is encrypted and transmitted over SSL protocol. As an operational security feature on the attacker’s side, the infected device’s set date has to match with a recent campaign date in order to successfully connect to the C&C server. This is verified by an algorithm that would otherwise direct the communication to localhost as shown in the image below.</p> <p class="center"><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fig5-1.png" layout="intrinsic" class="" alt="Grandoreiro malware analysis" width="627" height="232" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 2: Grandoreiro bot communication pattern via HTTP POST request</em></p> <p>Once there is a match with the communication algorithm, communication packages will be sent and receive info through <em>sites.google.com/view/</em>. This is only part of the URL, and it is hardcoded into the malicious code. To complete the URL path, information on the infected device needs to match with the attacker’s communication algorithm, which generates the second part of the path. For example:</p> <p class=""><em><a target="_blank" rel="noopener nofollow" >hxxps://sites.google[.]com/view/brezasq12xwuy</a></em></p> <p>Once the connection is established, the malware will likely use it to send notifications to the attacker when a victim accesses a banking site. Machine information, clipboard data and remote-access capabilities are also facilitated via the C&C.</p> <h2 class="">Setting up a fake browser extension</h2> <p>After execution, the sample runs for about six minutes, at which point the machine will abruptly reboot. A few minutes after the boot, the malware writes a compressed archive file named <em>ext.zip</em> from which it will extract additional files, placing them into a directory under <em>C:/%user%/*extension folder*/*</em>.</p> <p>The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called <a href="http://www.editthiscookie.com" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >Edit This Cookie</a>.</p> <p>In the next step, the dropper writes a new chrome .lnk or Windows OS shortcut file extension file or replaces the original if one already exists.</p> <p>The new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon starting the browser.</p> <p align="center"><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fig3-1.png" layout="intrinsic" class="" alt="IBM Trusteer" width="270" height="382" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 3: Fake browser extension created by Grandoreiro</em></p> <p>Here is an example of a target path from our analysis:</p> <p><em>“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –load-extension=”%userprofile%\F162FD4091BD6D9759E60C3″</em></p> <p>If Chrome was already open before the infection started unfolding, the malware will force closure of all <em>chrome.exe</em> threads to kill the process. This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro’s malicious extension. This extension will load on every browser startup using this specific .lnk file.</p> <p>Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware’s ability to control what the victim does.</p> <p>Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin.</p> <p align="center"><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fig4-1.png" layout="intrinsic" class="" alt="IBM Trusteer" width="359" height="433" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 4: Fake browser extension created by Grandoreiro — fake button</em></p> <p>This extension will also ask the user for various permissions:</p> <ul> <li class="">Reading your browsing history</li> <li class="">Displaying notifications</li> <li class="">Modifying data you copy and paste</li> </ul> <p>Actual in-code permissions:</p> <ul> <li>“tabs”</li> <li>“activeTab”</li> <li>“webNavigation”</li> <li>“all_urls”</li> <li>“cookies”</li> <li>“contextMenus”</li> <li>“unlimitedStorage”</li> <li>“notifications”</li> <li>“storage”</li> <li>“clipboardWrite”</li> <li>“browser”</li> <li>“webRequest”</li> <li>“webRequestBlocking”</li> <li>“<all_urls>”</li> </ul> <p>After the extension is deployed and installed, the dropper writes three additional files under <em>%appdata%/local/*/</em>:</p> <ul> <li class="">EXT.dat</li> <li class="">RB.dat</li> <li class="">EML.dat</li> </ul> <p>The malware runs a watchdog on the <em>EXT.dat</em> file and will re-write it after any removal attempt.</p> <p>Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields:</p> <ul> <li>“url”</li> <li>“tabid”</li> <li>“PASSANDO PARAMETRO”</li> <li>“cookie”</li> <li>“name”</li> <li>“domain”</li> <li>“value”</li> <li>“expired”</li> <li>“FormData”</li> <li>“WEBMAIL”</li> <li>“LoginForm[password]”</li> <li>“CHECKBOX_TROCA_SENHA”</li> <li>“ccnumber”</li> </ul> <p>We suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to ride the victim’s active session. With this method, the attacker won’t need to continue controlling the victim’s machine.</p> <p>Note that some of the strings in the collected data remain written in Portuguese. Another tidbit that connects Grandoreiro variants to Brazil is the “default_locale” setting within the malicious browser extension code that is set to “pt_BR” (likely meaning Portuguese_Brazil).</p> <p align="center"><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/pt.png" layout="intrinsic" class="" alt="IBM Trusteer" width="396" height="273" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 5: Grandoreiro — Brazilian origins</em></p> <h2 class="">Victim monitoring</h2> <p>Once active on the infected device, Grandoreiro waits in the background for the victim to take an action that will trigger it, such as browsing to a targeted bank’s website. That’s when the attack would invoke the remote-access feature of the malware and engage with the victim in real time by launching malicious images on their screen to trick them into keeping the session alive and providing information that can help the attacker.</p> <p>The images are premade to look like the targeted bank’s interface, and the attacker can launch them in real time.</p> <h2 class="">Grandoreiro: Brazil and Spain code versions closely related</h2> <p>After discovering Grandoreiro attacks in Spain, our team looked into the code for modifications. We established that the source codes are 80–90 percent identical. It stands to reason that the attackers deploying Grandoreiro in Spain have some tie to those operating it in Brazil.</p> <p><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fig12-1.png" layout="intrinsic" class="" alt="Grandoreiro versions in Spain and Brazil are 80–90 percent similar" width="1506" height="584" lightbox="lightbox"></amp-img></p> <p class="center"><em>Figure 6: Grandoreiro versions in Spain and Brazil are 80–90 percent similar</em></p> <h2 class="">Simplistic banking malware: If it ain’t broke …</h2> <p>Banking Trojans are a popular tool among various attackers around the globe who use them to rob the bank accounts of unsuspecting victims by infecting the devices they bank from.</p> <p>In the global arena, sophisticated, modular banking Trojans like TrickBot and IcedID, operated by organized cybercrime gangs, are what we usually find being used against large banks in various countries. But that stands in stark contrast to what we continue to see in the LATAM region and wherever else the language barrier can enable the same cybercriminals to operate, namely Spanish/Portuguese-speaking countries outside of LATAM.</p> <p>Notoriously simplistic malware codes reign supreme in these regions, allowing almost any level of attacker to access and use them against consumers and businesses alike. While relatively simple, its power lies in the attacker’s ability to take over devices and trick the victim in real time within the context of their normal online banking activities.</p> <p>IBM X-Force research continues to monitor these threats and keep our readers up to date on how they evolve. To read more from our teams, check out our <a href="https://securityintelligence.com/category/x-force/" target="_blank" rel="noopener nofollow" >Security Intelligence blogs</a>, and join us on <a href="https://exchange.xforce.ibmcloud.com/" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >X-Force Exchange</a> for timely indicators of compromise (IoCs) and threat intel on emerging attacks.</p> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/banking/" rel="tag">Banking</a><span> | </span><a href="https://securityintelligence.com/tag/banking-malware/" rel="tag">Banking Malware</a><span> | </span><a href="https://securityintelligence.com/tag/banking-trojan/" rel="tag">Banking Trojan</a><span> | </span><a href="https://securityintelligence.com/tag/command-and-control-cc/" rel="tag">Command-and-Control (C&C)</a><span> | </span><a href="https://securityintelligence.com/tag/cyber-crime/" rel="tag">Cybercrime</a><span> | </span><a href="https://securityintelligence.com/tag/cyber-criminals/" rel="tag">Cybercriminals</a><span> | </span><a href="https://securityintelligence.com/tag/google/" rel="tag">Google</a><span> | </span><a href="https://securityintelligence.com/tag/google-chrome/" rel="tag">Google Chrome</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/security-research/" rel="tag">Security Research</a><span> | </span><a href="https://securityintelligence.com/tag/trojan/" rel="tag">Trojan</a><span> | </span><a href="https://securityintelligence.com/tag/x-force/" rel="tag">X-Force</a></div> <div class="post__author author "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2020/04/profile.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/dani-abramov/" >Dani Abramov</a></div> <div class="author__role">Threat Researcher, IBM</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2022/08/LimorK22-head.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/limor-kessem/">Limor Kessem</a></div> <div class="author__role">Principal Consultant, X-Force Cyber Crisis Management, IBM</div> </div> </div> </div>  <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <div class="article__img"> <amp-img alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg.webp"> <amp-img fallback alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/artificial-intelligence/" aria-label="https://securityintelligence.com/category/topics/artificial-intelligence/"> Artificial Intelligence </a>  <span class="article__date"> February 13, 2025 </span>  <a href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" class="article__content_link" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <h2 class="article__title">How red teaming helps safeguard the infrastructure behind AI models</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <div class="article__img"> <amp-img alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg.webp"> <amp-img fallback alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/security-intelligence-analytics/" aria-label="https://securityintelligence.com/category/topics/security-intelligence-analytics/"> Intelligence & Analytics </a>  <span class="article__date"> February 6, 2025 </span>  <a href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" class="article__content_link" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <h2 class="article__title">Hacking the mind: Why psychology matters to cybersecurity</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/4-ways-to-bring-cybersecurity-into-your-community/" aria-label="4 ways to bring cybersecurity into your community"> <div class="article__img"> <amp-img alt="Diverse group of young students sitting at a long table working on computers in a classroom" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/A-group-of-students-working-on-computer-during-a-class-in-college-630x330.jpeg.webp"> <amp-img fallback alt="Diverse group of young students sitting at a long table working on computers in a classroom" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/A-group-of-students-working-on-computer-during-a-class-in-college-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a>  <span class="article__date"> February 14, 2025 </span>  <a href="https://securityintelligence.com/articles/4-ways-to-bring-cybersecurity-into-your-community/" class="article__content_link" aria-label="4 ways to bring cybersecurity into your community"> <h2 class="article__title">4 ways to bring cybersecurity into your community</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from X-Force</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/smoltalk-rce-in-open-source-agents/"> <div class="article__img"> <amp-img alt="Computer screens displaying code and a robot hand pointing to the screens" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-630x330.jpeg.webp"> <amp-img fallback alt="Computer screens displaying code and a robot hand pointing to the screens" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> February 14, 2025 </span> </div>  <a href="https://securityintelligence.com/x-force/smoltalk-rce-in-open-source-agents/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Smoltalk: RCE in open source agents </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 26</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/"> <div class="article__img"> <amp-img alt="The backside of a woman with long red hair sitting at a desk working on a laptop with external monitor" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/01/A-woman-with-long-red-hair-is-sitting-at-a-desk-in-an-office-working-on-a-laptop-next-to-a-monitor-displaying-a-user-interface-630x330.jpeg.webp"> <amp-img fallback alt="The backside of a woman with long red hair sitting at a desk working on a laptop with external monitor" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/01/A-woman-with-long-red-hair-is-sitting-at-a-desk-in-an-office-working-on-a-laptop-next-to-a-monitor-displaying-a-user-interface-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> January 17, 2025 </span> </div>  <a href="https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Being a good CLR host – Modernizing offensive .NET tradecraft </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 14</span> <span class="rt-label rt-postfix">min read</span></span> - </span>The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/abusing-mlops-platforms-to-compromise-ml-models-enterprise-data-lakes/"> <div class="article__img"> <amp-img alt="A digital graph laying out maching learning with purple & blue circle background" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/01/Businessman-hand-working-with-a-digital-tablet-computer.Machine-learning-technology-diagram-with-artificial-intelligence-AIneural-networkautomationdata-mining-in-VR-screen-630x330.jpeg.webp"> <amp-img fallback alt="A digital graph laying out maching learning with purple & blue circle background" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/01/Businessman-hand-working-with-a-digital-tablet-computer.Machine-learning-technology-diagram-with-artificial-intelligence-AIneural-networkautomationdata-mining-in-VR-screen-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> January 6, 2025 </span> </div>  <a href="https://securityintelligence.com/x-force/abusing-mlops-platforms-to-compromise-ml-models-enterprise-data-lakes/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Abusing MLOps platforms to compromise ML models and enterprise data lakes </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 15</span> <span class="rt-label rt-postfix">min read</span></span> - </span>For full details on this research, see the X-Force Red whitepaper “Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes”.Machine learning operations (MLOps) platforms are used by enterprises of all sizes to develop, train, deploy and monitor large language models (LLMs) and other foundation models (FMs), as well as the generative AI (gen AI) applications built on top of these models. The rush to leverage AI throughout enterprises has meant that security has been often… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2025 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

Grandoreiro Malware Now Targeting Banks in Spain