Grandoreiro, the banking trojan that was dismantled in January 2024, has returned with a vengeance.
Grandoreiro, the banking trojan that was dismantled in January 2024, has returned with a vengeance. According to a new report from IBM’s cybersecurity arm, X-Force, the trojan has been updated and is now targeting a much broader area.
The large-scale phishing attacks, likely enabled by other cybercriminals through a malware-as-a-service (MaaS) model, target over 1,500 banks worldwide, covering more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific.
Grandoreiro is a modular backdoor with the following capabilities:
- Keylogging
- Auto-Updation for newer versions and modules
- Web-Injects and restricting access to specific websites
- Command execution
- Manipulating windows
- Guiding the victim’s browser to a certain URL
- C2 Domain Generation via DGA (Domain Generation Algorithm)
- Imitating mouse and keyboard movements
The latest version includes significant updates to its string decryption and domain generation algorithm (DGA). Additionally, it can utilize Microsoft Outlook clients on infected hosts to propagate further phishing emails.
Traditionally confined to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded to target entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). This latest campaign shows that operators are extending the malware’s reach globally, beginning with South Africa.
"Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails," security researchers Golo Mühr and Melissa Frydrych said.
The attacks begin with phishing emails directing recipients to click on a link to view an invoice or make a payment, depending on the nature of the lure and the government entity being impersonated.
In every campaign, recipients are directed to click on a link to access various items such as invoices, fees, account statements, or to make payments, depending on the entity being impersonated.
Users who click on the link are redirected to an image of a PDF icon, which ultimately leads to the download of a ZIP archive containing the Grandoreiro loader executable.
The custom loader is artificially inflated to over 100 MB to evade anti-malware scanning software. It also ensures that the compromised host is not in a sandboxed environment, collects basic victim data to send to a command-and-control (C2) server, and downloads and executes the main banking trojan.
The revamped Grandoreiro is a modular operation, likely operating as malware-as-a-service, capable of targeting over 1,500 banking applications and websites across more than 60 countries in regions including Central and South America, Africa, Europe, and the Indo-Pacific.
The latest version includes updates to its string decryption and DGA calculation algorithms, enabling the malware to contact at least 12 different command-and-control (C2) domains daily. Additionally, it now has enhanced capabilities to spread more efficiently by harvesting victim data from targeted email clients.
“There are at least three mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed,” IBM X-Force explained. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”
IBM cautioned that the updates and expanded targeting of banking applications indicate that the individuals behind Grandoreiro aim to enable malicious campaigns on a worldwide scale.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.