Banks beware: IBM Study Shows Grandoreiro Trojan is Back

Share
This shift in features and focus has experts also believing that Grandoreiro is likely rented to cybercriminals via a Malware-as-a-Service model and is targeting English-speaking countries too.
Notorious banking trojan Grandoreiro is back following an INTERPOL bust, and its updated version has been used to target over 1,500 banks

The infamous Grandoreiro banking trojan that has plagued numerous industries across the Spanish-speaking world has re-emerged after an apparent hiatus - and this time, it's going global.

This comes after an INTERPOL joint operation conducted in January 2024 alongside the countries of Brazil and Spain, and companies ESET and Caixa Bank, disrupted a Grandoreiro malware operation - resulting in thirteen search and seizure actions and the arrests of five people in Brazil allegedly behind the banking malware.

Despite this, an IBM X-Force team report suggests Grandoreiro appears to have returned to large-scale operations since March 2024.

Authorities bust a a Grandoreiro malware operation - Image: INTERPOL

The new threat

X-Force observed recent campaigns hitting Mexico's Tax Administration Service, the Revenue Service of Argentina, and the South African Revenue Service, with authentic-looking phishing emails seen by IBM.

Grandoreiro has also returned with some new features. The trojan now has enhanced encryption, an overhauled system for generating domains to evade detection, and the ability to co-opt victims' Microsoft Outlook accounts to self-propagate phishing attacks.

This shift in features and focus has experts also believing that Grandoreiro is likely rented to cybercriminals via a Malware-as-a-Service (MaaS) model and is targeting English-speaking countries too.

A recent campaign with the malware has seen it target customer accounts of over 1,500 banks across more than 60 countries spanning Central and South America, Africa, Europe and the Indo-Pacific region, according to researchers at IBM's X-Force cybersecurity team.

IBM X-Force noticed several new features and significant updates in the latest variant of the Grandoreiro banking trojan, making it a more evasive and effective threat.

"The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale," the IBM X-Force said in conclusion.

Grandoreiro's gist

Grandoreiro first appeared around 2017, concentrated on stealing banking credentials and funds from victims in Brazil, Spain and Portugal through elaborate phishing schemes and stealthy malware.

"Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These emails often impersonate legitimate organisations, such as banks or financial institutions, to trick users into downloading and executing the malware," explained a report by the cybersecurity firm Trend Micro that assisted Interpol's disruption effort.

Once in, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups, collecting data such as usernames, operating system information, device runtime and most importantly, bank identifiers.

Grandoreiro was estimated to have caused an estimated $120 million in losses.

New Grandoreiro features
  • Reworked and improved string decryption algorithm using a combination of AES CBC and custom decoder
  • Updates on the domain generation algorithm (DGA) which now includes multiple seeds to separate the command and control (C2) communications with operator tasks
  • New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing to new targets
  • New persistence mechanism relying on the creation of registry Run keys ('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run')
  • Expansion of targeting bank applications and inclusion of cryptocurrency wallets
  • Expansion of the command set, now including remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands.

January's multinational takedown saw authorities acknowledge Grandoreiro's escalating threat, but its latest resurgence and reworking highlights the malware is alive and stronger than ever.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand​​​​​​​

Share

Featured Articles

Palo Alto Networks, Deloitte and The Push to Platformization

By expanding their partnership to EMEA, Palo Alto Networks is bringing to Deloitte the platformization needed in the modern cybersphere

Insurers Now Spotlighting Identity and Privilege Compromises

Delinea's latest survey reveals a sharp rise in cybersecurity insurance claims, pushing for advanced identity protection measures. Dive into how AI and met

Trend Micro Address AI Threat to Mobile Users with New App

Trend Micro Check is an all-in-one solution that recognises the threats that deepfakes are now posing to mobile users in elaborate scams

Solarwinds CISO Wants Global Cyber Laws After Winning Case

Cyber Security

Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics

Hacking & Malware

Cloudhouse Head Talks Laws Incoming After Crowdstrike Outage

Operational Security