Grandoreiro banking trojan and BTMOB Android RAT hit Iberia and Latin America - DLL side-loading, WebRTC P2P, targets Wise and Revolut
WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.
- Check
- Hunt Windows endpoints for DLL side-loading of mingwm10.dll, libwebp.dll, libffi-6.dll, or libpng15.dll. Inspect outbound WebRTC/STUN/ICE traffic to unexpected peers. Check for Delphi-built DLLs.
- Affected
- Banking customers and finance staff in Spain, Portugal, Mexico (Windows/Grandoreiro) and Brazil (Android/BTMOB). Named targets include Abanca, Santander, Banco de Portugal, Revolut, and Wise.
- Fix
- Apply WatchGuard and ESET IoCs. Block known C2 peers. Train finance staff against phishing links delivering ZIP archives. Deploy mobile threat defense on Android devices accessing banking apps.