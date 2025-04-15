In late March 2025, IBM X-Force led an incident response case involving Hive0148, a South American cyber crime group focused on financial theft throughout the region. This incident was part of a series of large campaigns occurring between February 19 and March 20, 2025, delivering the Grandoreiro banking trojan to users in Mexico and Costa Rica. The incident involved a victim receiving two phishing emails, one of which led to a ZIP archive hosted on the file sharing service mediafire[.]com. If, upon clicking the provided URL, the geolocation of the victim is established for either Mexico or Costa Rica, they are quickly redirected to a contaboserver[.]net URL to download the ZIP file. The archive contains a malicious Visual Basic Script (VBS) that, upon execution, launches an executable file with a randomly assigned name. The executables themselves were unable to be recovered from the infected system. However, the X-Force malware team analyzed the malicious VBS to recover the executable, which was revealed to be a Grandoreiro Loader.

X-Force tracks distributors delivering the Grandoreiro banking trojan that are known to target entities in Mexico and Brazil, although targets in Spain, Colombia and Costa Rica have been observed. Grandoreiro is a multi-component banking trojan likely operated as a Malware-as-a-Service (MaaS), featuring characteristics such as string decryption, domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. Grandoreiro contains a large, hard-coded list of targeted banking applications that it uses to enumerate victim devices, steal credentials and commit fraud.

X-Force tracks at least three distributors deploying different versions of the Grandoreiro banking trojan, two identified as Hive0148 and Hive0149, and a third under development. Grandoreiro distributors are grouped based on certain tactics, techniques and procedures (TTPs), such as infection chain attributes, including the use of different loaders and command and control (C2) techniques, phishing themes, targets and indicators of compromise (IOCs). Phishing campaigns delivering Grandoreiro often contain themes related to Tax Administration Services, the Federal Electricity Commission (CFE), electronic billing, national banks and Federal courts/legal notifications.