Banks beware: IBM Study Shows Grandoreiro Trojan is Back

This shift in features and focus has experts also believing that Grandoreiro is likely rented to cybercriminals via a Malware-as-a-Service model and is targeting English-speaking countries too.
Notorious banking trojan Grandoreiro is back following an INTERPOL bust, and its updated version has been used to target over 1,500 banks

The infamous Grandoreiro banking trojan that has plagued numerous industries across the Spanish-speaking world has re-emerged after an apparent hiatus - and this time, it's going global.

This comes after an INTERPOL joint operation conducted in January 2024 alongside the countries of Brazil and Spain, and companies ESET and Caixa Bank, disrupted a Grandoreiro malware operation - resulting in thirteen search and seizure actions and the arrests of five people in Brazil allegedly behind the banking malware.

Despite this, an IBM X-Force team report suggests Grandoreiro appears to have returned to large-scale operations since March 2024.

Authorities bust a a Grandoreiro malware operation - Image: INTERPOL

The new threat

X-Force observed recent campaigns hitting Mexico's Tax Administration Service, the Revenue Service of Argentina, and the South African Revenue Service, with authentic-looking phishing emails seen by IBM.

Grandoreiro has also returned with some new features. The trojan now has enhanced encryption, an overhauled system for generating domains to evade detection, and the ability to co-opt victims' Microsoft Outlook accounts to self-propagate phishing attacks.

This shift in features and focus has experts also believing that Grandoreiro is likely rented to cybercriminals via a Malware-as-a-Service (MaaS) model and is targeting English-speaking countries too.

A recent campaign with the malware has seen it target customer accounts of over 1,500 banks across more than 60 countries spanning Central and South America, Africa, Europe and the Indo-Pacific region, according to researchers at IBM's X-Force cybersecurity team.

IBM X-Force noticed several new features and significant updates in the latest variant of the Grandoreiro banking trojan, making it a more evasive and effective threat.

"The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale," the IBM X-Force said in conclusion.

Grandoreiro's gist

Grandoreiro first appeared around 2017, concentrated on stealing banking credentials and funds from victims in Brazil, Spain and Portugal through elaborate phishing schemes and stealthy malware.

"Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These emails often impersonate legitimate organisations, such as banks or financial institutions, to trick users into downloading and executing the malware," explained a report by the cybersecurity firm Trend Micro that assisted Interpol's disruption effort.

Once in, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups, collecting data such as usernames, operating system information, device runtime and most importantly, bank identifiers.

Grandoreiro was estimated to have caused an estimated $120 million in losses.

New Grandoreiro features
  • Reworked and improved string decryption algorithm using a combination of AES CBC and custom decoder
  • Updates on the domain generation algorithm (DGA) which now includes multiple seeds to separate the command and control (C2) communications with operator tasks
  • New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing to new targets
  • New persistence mechanism relying on the creation of registry Run keys ('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run')
  • Expansion of targeting bank applications and inclusion of cryptocurrency wallets
  • Expansion of the command set, now including remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands.

January's multinational takedown saw authorities acknowledge Grandoreiro's escalating threat, but its latest resurgence and reworking highlights the malware is alive and stronger than ever.


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand​​​​​​​


Featured Articles

Zscaler and NVIDIA Join to Upskill Zero Trust with Gen AI

NVIDIA is joining with Zscaler to help integrate its AI solutions into their Zero Trust Exchange platform and Zscaler ZDX Copilot

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Gigamon's latest Hybrid Cloud Security Survey shows unseen cyber attacks have increased 20% year on year

Helping APAC Curb the Threat of Cyber Attacks

With cyberattacks continuing to rise across the Asia-Pacific (APAC) region, technology advancements are having to intensify to thwart threat actors

SolarWinds: IT Staff Dubious on Organisation's AI Readiness

Technology & AI

Is Stress a Driving Force Behind the Cyber Skills Shortage?

Operational Security

Rapid7 AI Engine Update Sees Gen AI Supporting SOC With MDR

Technology & AI