Attackers are using a Brazilian hacking tool against Spanish banks

Researchers did not disclose which banks have been affected.

An easy-to-use hacking tool has made its way from Brazil’s criminal underworld to Spain, where it’s being used to try to steal from the customers of major banks, researchers said this week.

The attackers have targeted customers of at least 10 large Spanish banks as part of an ongoing campaign, said Limor Kessem, IBM Security’s executive security advisor. “We have seen this sort of migration in the past, and this one is likely tied to local criminals [in Spain] using malware from counterparts in Brazil.”

The malware, known as Grandoreiro, uses a remote-access feature which overlays images on a victim’s web browser, tricking them into keeping a banking session alive. That gives a hacker the opportunity to steal money from the victim’s account or swipe other account information, Kessem and her colleague, Dani Abramov said in a blog post.

It remains unclear how many Spanish banking customers were targeted. IBM did not disclose which organizations were affected.


The Spanish Banking Association, an industry group whose members include some of Spain’s biggest banks, told CyberScoop it is “aware of the cybercriminal activity in general terms but we have no details nor evidence of concrete cases.”

“What we can ensure is that banks are historically and even more now, fighting cybercrime,” the banking association added. “Of course they have measures in place for that purpose.”

“Remote overlay” trojans like Grandoreiro have been a staple of the Latin American cybercrime scene for years. Apparently sensing an opportunity, an unknown hacker made tweaks to the malware, keeping roughly 85% percent of the source code, to attack Spanish banking customers, IBM said. The researchers believe that attackers familiar with Grandoreiro’s original code either collaborated with criminals in Spain, or carried out the attacks themselves.

Brazil has long been a hotbed for financially-motivated cybercrime. Online forums offer a variety of hacking tools to choose from, and cybercriminal gangs often are split into teams specializing in software development and money laundering, according to threat intelligence company Recorded Future.

In the case of the Grandoreiro, what was once Brazil’s problem has now moved to Spain. The apparent rise in intrusion attempts using the malware comes as Spain continues to grapple with the novel coronavirus, which has killed more than 18,000 people in the country.


Grandoreiro’s operators — like countless other criminals — appear to have adapted their hacking campaigns to the pandemic. Researchers from Slovak anti-virus company ESET in February found phony websites that spread fear about the virus and, potentially, the Grandoreiro malware to users in Brazil, Spain, and Mexico.

UPDATE, 04/15/20, 8:26 a.m. EDT: This story has been updated with a statement from the Spanish Banking Association. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts