Cybersecurity researchers have identified a sophisticated campaign in Brazil distributing the Grandoreiro banking trojan. The operation employs a multi-faceted approach, utilizing both a self-propagating WhatsApp worm for malware distribution and a distinct Near Field Communication (NFC) relay tool for direct payment fraud.

The threat actors behind this campaign are targeting users of financial institutions throughout Brazil. The operation demonstrates an evolution in tactics by combining social engineering for malware delivery with hardware-based methods for conducting fraudulent transactions on point-of-sale (POS) systems.

WhatsApp Worm Spreads Grandoreiro Malware

The primary infection vector for the Grandoreiro trojan in this campaign is a worm that spreads through WhatsApp. Victims receive phishing messages containing a malicious link. When a user clicks the link, it initiates the download of a ZIP archive. This archive contains a loader disguised as a legitimate file.

Upon execution by the user, the loader downloads and installs the Grandoreiro banking trojan onto the victim’s system. Grandoreiro is designed to steal financial information by using overlay windows on banking websites to capture credentials, logging keystrokes, and exfiltrating sensitive data to attacker-controlled servers.

NFC Relay Attacks Bypass Proximity Checks

In a parallel tactic, the same threat actor was observed using a specialized tool named RelayNFC to commit payment fraud. This tool enables NFC relay attacks, which circumvent the proximity requirement for contactless card payments. The attack requires two mobile devices: one held by an accomplice near the victim’s physical credit card and another held by the attacker at a payment terminal.

The RelayNFC application relays the communication between the victim’s card and the POS terminal over the internet in real-time. This allows the attacker to authorize a fraudulent transaction using the victim’s card details without ever having physical possession of it. This method of attack does not require the victim’s phone to be compromised.

Source: https://thehackernews.com/2023/12/brazil-hit-by-banking-trojan-spread.html