At a glance.
- Grandoreiro banking Trojan resurfaces following law enforcement disruption.
- Australian prescription processing company hit by ransomware.
- New Linux backdoor targets South Korean organizations.
Grandoreiro banking Trojan resurfaces following law enforcement disruption.
IBM X-Force warns that the Grandoreiro banking Trojan resurfaced in March with several large phishing campaigns targeting more than 1,500 banks in sixty countries. The malware-as-a-service operation was disrupted by law enforcement in January 2024.
The new version of the malware has received significant updates and has expanded its targeting, with a particular focus on Mexico, Argentina, and South Africa. The researchers note, "Although campaigns have traditionally been limited to Latin America, Spain, and Portugal, X-Force observed recent campaigns impersonating Mexico’s Tax Administration Service (SAT), Mexico’s Federal Electricity Commission (CFE), Mexico’s Secretary of Administration and Finance, the Revenue Service of Argentina, and notably the South African Revenue Service (SARS)."
Australian prescription processing company hit by ransomware.
Australian electronic prescription processing company MediSecure has disclosed a data breach affecting "personal and health information of individuals." The country's Minister for Cyber Security Clare O'Neil described the incident as "large-scale ransomware incident." MediSecure says "early indicators suggest the incident originated from one of our third-party vendors."
The ABC quotes Steve Robson, president of the Australian Medical Association, as saying, "It's not clear exactly what data have either been accessed stolen, blocked or whatever and these things can be complex. I think the scale of what's happened is going to take time to fully be revealed....[W]e would anticipate that many doctors and many patients around the country will have data in the database."
New Linux backdoor targets South Korean organizations.
Researchers at Symantec describe a new Linux backdoor developed by the North Korean threat actor Kimsuky (tracked by Symantec as "Springtail"). The malware is targeting entities in South Korea, and is delivered via Trojanized versions of legitimate software packages. Symantec states, "The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants."