Banks beware: IBM Study Shows Grandoreiro Trojan is Back
The infamous Grandoreiro banking trojan that has plagued numerous industries across the Spanish-speaking world has re-emerged after an apparent hiatus - and this time, it's going global.
This comes after an INTERPOL joint operation conducted in January 2024 alongside the countries of Brazil and Spain, and companies ESET and Caixa Bank, disrupted a Grandoreiro malware operation - resulting in thirteen search and seizure actions and the arrests of five people in Brazil allegedly behind the banking malware.
Despite this, an IBM X-Force team report suggests Grandoreiro appears to have returned to large-scale operations since March 2024.
The new threat
X-Force observed recent campaigns hitting Mexico's Tax Administration Service, the Revenue Service of Argentina, and the South African Revenue Service, with authentic-looking phishing emails seen by IBM.
Grandoreiro has also returned with some new features. The trojan now has enhanced encryption, an overhauled system for generating domains to evade detection, and the ability to co-opt victims' Microsoft Outlook accounts to self-propagate phishing attacks.
This shift in features and focus has experts also believing that Grandoreiro is likely rented to cybercriminals via a Malware-as-a-Service (MaaS) model and is targeting English-speaking countries too.
A recent campaign with the malware has seen it target customer accounts of over 1,500 banks across more than 60 countries spanning Central and South America, Africa, Europe and the Indo-Pacific region, according to researchers at IBM's X-Force cybersecurity team.
IBM X-Force noticed several new features and significant updates in the latest variant of the Grandoreiro banking trojan, making it a more evasive and effective threat.
"The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale," the IBM X-Force said in conclusion.
Grandoreiro's gist
Grandoreiro first appeared around 2017, concentrated on stealing banking credentials and funds from victims in Brazil, Spain and Portugal through elaborate phishing schemes and stealthy malware.
"Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These emails often impersonate legitimate organisations, such as banks or financial institutions, to trick users into downloading and executing the malware," explained a report by the cybersecurity firm Trend Micro that assisted Interpol's disruption effort.
Once in, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups, collecting data such as usernames, operating system information, device runtime and most importantly, bank identifiers.
Grandoreiro was estimated to have caused an estimated $120 million in losses.
- Reworked and improved string decryption algorithm using a combination of AES CBC and custom decoder
- Updates on the domain generation algorithm (DGA) which now includes multiple seeds to separate the command and control (C2) communications with operator tasks
- New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing to new targets
- New persistence mechanism relying on the creation of registry Run keys ('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run')
- Expansion of targeting bank applications and inclusion of cryptocurrency wallets
- Expansion of the command set, now including remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands.
January's multinational takedown saw authorities acknowledge Grandoreiro's escalating threat, but its latest resurgence and reworking highlights the malware is alive and stronger than ever.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand