LATAM Banking Trojans: 20 IOCs for Grandoreiro, Mekotio, and Mispadu

TL;DR: We published an OTX pulse with 20 IOCs covering the Grandoreiro, Mekotio, and Mispadu banking trojan families targeting Latin America. Brazil accounts for 70% of LATAM cyberattacks. Mexico is second. Free. No paywall.

The Threat Landscape

Latin America is experiencing a banking trojan epidemic. The numbers are staggering:

• Brazil: 70% of all LATAM cyberattacks originate here

• Grandoreiro: Targets 1,500+ banks across 60 countries

• ESET/Interpol disruption: January 2024 - but Grandoreiro resurgent by March 2024

• Mekotio: Chilean origin, spreads via fake invoices across Spanish-speaking countries

• Mispadu: Specializes in Mexican banking sector

These aren't theoretical threats. They're emptying bank accounts right now.

The Grandoreiro Takedown... and Comeback

January 2024 saw a major international operation:

• ESET and Brazilian Federal Police coordinated arrests

• Five operators identified in Brazil

• Infrastructure temporarily disrupted

• Interpol issued Red Notices

• New variants detected within weeks

• Fresh C2 infrastructure deployed

• Updated obfuscation techniques

• Same banking targets, new operators

This is the reality of LATAM banking trojans: The code survives the operators.

The Trojan Families

Grandoreiro **Origin:** Brazil **Targets:** 1,500+ banks in 60+ countries **Delivery:** Fake invoice emails, malicious MSI installers **Signature:** AutoIt-based loader (AutoIt3.exe) **Behavior:** Overlay attacks, keylogging, clipboard hijacking

Mekotio **Origin:** Chile **Targets:** Banks in Chile, Mexico, Argentina, Spain **Delivery:** Fake tax authority emails (SAT in Mexico, SII in Chile) **Signature:** PowerShell-based initial access **Behavior:** Browser session hijacking, credential theft

Mispadu **Origin:** Mexico (likely) **Targets:** Mexican banking sector primarily **Delivery:** Fake McDonald's and Burger King promotions (seriously) **Signature:** Heavy use of legitimate cloud services for C2 **Behavior:** Form grabbing, clipboard monitoring

The Pulse

LATAM Banking Trojans - Grandoreiro + Mekotio + Mispadu (Brazil/Mexico/LATAM) - DugganUSA

20 IOCs | Subscribe

• 5 C2 IP addresses (confirmed active 2024)

• 7 phishing domain patterns (bank-specific)

• 3 file hashes (SHA256 - recent samples)

• Common delivery mechanisms (MSI, AutoIt)

Regional Targeting Patterns

Brazil (Itaú, Bradesco, Banco do Brasil) **Phishing themes:** - "Atualização de segurança necessária" (Security update needed) - "Seu token expirou" (Your token expired) - "Confirmação de transferência PIX" (PIX transfer confirmation)

Why PIX matters: Brazil's instant payment system (PIX) has 150M+ users. Attackers increasingly target PIX for immediate money movement.

Mexico (Banorte, BBVA Mexico, Santander MX) **Phishing themes:** - "Actualización SAT requerida" (SAT update required) - "Factura electrónica pendiente" (Pending electronic invoice) - "Verificación de cuenta bancaria" (Bank account verification)

SAT targeting: Mexico's tax authority (SAT) requires electronic invoices. Attackers exploit this mandatory compliance for phishing.

Chile (BancoChile, BancoEstado) **Phishing themes:** - "Actualización SII" (Tax authority update) - "Comprobante de transferencia" (Transfer receipt)

Defense Recommendations

For LATAM banks and financial institutions:

1. Block AutoIt3.exe - Grandoreiro's signature loader 2. Monitor MSI downloads - Primary delivery mechanism 3. Email filtering for .zip + .msi - Common attachment patterns 4. User awareness - Tax authority impersonation is the #1 vector 5. PIX transaction monitoring - Flag unusual patterns

For end users:

1. Never download MSI files from email links 2. Tax authorities don't email you unsolicited 3. Verify bank communications through official channels 4. Enable MFA on all banking apps

The Cross-Border Challenge

These trojans don't respect borders. A Brazilian-developed trojan targets Mexican banks. A Chilean operation hits Spanish institutions. The same infrastructure serves multiple countries.

This is why sharing IOCs matters. A bank in São Paulo seeing Grandoreiro today means banks in Mexico City should be blocking those C2s tomorrow.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - All pulses

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [ESET Grandoreiro Analysis](https://www.welivesecurity.com/en/eset-research/grandoreiro-banking-trojan/)

• [Interpol Operation](https://www.interpol.int/News-and-Events/News/2024/INTERPOL-led-operation-targets-notorious-cyber-fraud)

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He publishes LATAM threat intel because (a) 650 million people in Latin America deserve free IOCs, (b) the same banking trojan techniques that hit Itaú hit Wells Fargo, and (c) Grandoreiro is fascinating malware that keeps coming back from the dead.*

*Questions? [email protected]*