Introduction
The Grandoreiro banking trojan [4] [6] [7] [11] [12], initially identified in Brazil, has resurfaced with enhanced capabilities, posing a significant threat to global financial institutions. Despite law enforcement efforts [1] [2] [4] [6] [12], the malware continues to evolve, employing sophisticated techniques to evade detection and expand its reach across multiple continents.
Description
New variants of the Grandoreiro banking trojan [4] [6] [11] [12], originally identified in Brazil, have re-emerged with advanced tactics that significantly enhance its evasion of detection and anti-fraud measures. Active since at least 2016 [1] [3], Grandoreiro targets over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries [5] [7] [9] [10] [11], generating an estimated 3.5 million euros in fraudulent profits in Spain alone [3]. Despite law enforcement efforts leading to the arrest of some key operators in early 2024, the remaining developers continue to expand the malware’s infrastructure. This malware poses a global threat, accounting for approximately 5% of banking trojan attacks in 2024 [7] [10] [11], with around 51,000 recorded incidents in Mexico alone. Recent expansions have been noted in Asia and Africa, particularly in Nigeria [1] [11], Kenya [11], South Africa [11], and Ghana [4] [6] [11].
Operating as a malware-as-a-service (MaaS) [4] [6], Grandoreiro is selectively offered to trusted cybercriminals [4], with various operators developing lighter [1], localized versions specifically targeting banking customers in Mexico [4] [6], Brazil [1] [2] [3] [7], Spain [1] [3], and Argentina [1] [3]. A new light version has been identified that specifically targets around 30 banks in Mexico [5] [9]. Recent updates to Grandoreiro include the implementation of multiple domain generation algorithms (DGAs) for command-and-control communications [4] [6], sophisticated phishing techniques [1], and advanced encryption methods such as AES-256 with ciphertext stealing (CTS) [1]. This novel cryptographic technique complicates detection and analysis efforts, enhancing the malware’s stealth capabilities [5] [7] [9].
The malware’s creators have restricted access to the source code to trusted affiliates, allowing them to launch new campaigns using simplified versions of the original malware [5]. This fragmented approach may extend beyond Mexico [5], indicating a potential trend in the malware’s operation [5]. Grandoreiro employs DLL sideloading, binary padding [1] [3], and anti-debugging techniques to bypass detection, while recent campaigns have introduced CAPTCHA mechanisms to hinder automatic analysis and expanded the list of tools the malware checks for to avoid detection.
Infection methods primarily involve phishing emails and malvertising [3], with recent campaigns utilizing localized tactics [3], such as impersonating Mexican tax communications [3]. The malware gathers host information [4] [6], checks for specific usernames [4] [6], and searches for various anti-malware solutions and banking security software before execution [6] [8]. It monitors user activity across web browsers [6], email clients [6], VPNs [6], and cloud storage applications [6], capturing mouse movements to mimic legitimate user behavior and deceive machine learning-based security systems [1] [5] [9] [10]. The latest version of Grandoreiro features self-updating capabilities [6], keystroke logging [4] [6], and the ability to monitor Outlook emails for specific keywords [6].
Once credentials are compromised [4] [6], threat actors transfer funds to local money mules [6], identified through Telegram channels [4] [6], who are compensated between $200 to $500 per day [6]. Remote access to victim machines is facilitated by a Delphi-based tool named Operator [4] [6], which lists victims when they access targeted financial institution websites [4] [6]. The continuous evolution of Grandoreiro highlights the attackers’ efforts to counter modern security solutions that utilize behavioral biometrics and machine learning [6]. Kaspersky has reported blocking over 150,000 infections impacting more than 30,000 users worldwide [1], underscoring the malware’s significant threat to financial institutions globally. A comprehensive overview of Grandoreiro’s tactics and developments will be presented at the upcoming Security Analyst Summit 2024 [9], further emphasizing its persistent and evolving nature in the financial sector [9].
Conclusion
The Grandoreiro trojan’s persistent evolution and expansion underscore the ongoing threat it poses to global financial systems. Despite arrests [11], the malware’s developers continue to innovate, challenging current security measures. Financial institutions must remain vigilant, adopting advanced security protocols and collaborating internationally to mitigate this threat. The upcoming Security Analyst Summit 2024 will provide further insights into combating such sophisticated cyber threats, highlighting the need for continuous adaptation in cybersecurity strategies.
References
[1] https://securelist.com/grandoreiro-banking-trojan/114257/
[2] https://blog.netmanageit.com/grandoreiro-banking-trojan-overview-of-recent-versions-and-new-tricks/
[3] https://www.hendryadrian.com/grandoreiro-the-ambitious-global-trojan/
[4] https://www.ihash.eu/2024/10/new-grandoreiro-banking-malware-variants-emerge-with-advanced-tactics-to-evade-detection/
[5] https://microstrategy.africabusinesscommunities.com/tech-24/kaspersky-uncovers-new-threat-spreading-into-africa-and-asia/
[6] https://thehackernews.com/2024/10/new-grandoreiro-banking-malware.html
[7] https://digitalterminal.in/trending/kaspersky-discovers-new-variant-of-grandoreiro-targeting-30-mexican-banks
[8] https://thenimblenerd.com/article/grandoreiro-strikes-again-the-never-ending-saga-of-banking-malware-mischief/
[9] https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-new-grandoreiro-light-variant
[10] https://www.techandteen.com/kaspersky-uncovers-new-grandoreiro-light-variant/
[11] https://www.devdiscourse.com/article/business/3132313-kaspersky-unveils-new-grandoreiro-banking-trojan-targeting-mexico-as-global-threat-expands
[12] https://cyber.vumetric.com/security-news/2024/10/23/new-grandoreiro-banking-malware-variants-emerge-with-advanced-tactics-to-evade-detection/