The “Grandoreiro” banking Trojan is spreading as part of a large-scale phishing campaign in more than 60 countries, targeting customer accounts of around 1,500 banks.
In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET and Caixa Bank announced the disruption of the malware, which had targeted Spanish-speaking countries since 2017 and caused $120 million losses.
At the same time, five arrests and thirteen searches and seizures took place across Brazil. However, no information was provided on the role of those arrested in the operation.
IBM’s English speakers.
Source: IBM
Additionally, the Trojan itself underwent a technical overhaul that added many powerful new features and improvements, indicating that its creators escaped arrest and were not deterred by the previous crackdown.
New phishing campaigns
Since several threat actors rent malware, phishing lures are diverse and designed specifically for organizations targeted by a particular cybercriminal.
The phishing emails detected by IBM impersonate government entities in Mexico, Argentina and South Africa, primarily tax administration agencies, tax departments and federal electricity commissions.
Emails are written in the recipient’s native language, incorporate official logos and formats, and contain a call to action, such as clicking links to view invoices, account statements, or tax documents.
Source: IBM
When recipients click on these emails, they are redirected to an image of a PDF which triggers the download of a ZIP file containing a large (100 MB) executable, which is the Grandoreiro loader.
New features of the Grandoreiro
IBM X-Force has noticed several important new features and updates in the latest variant of the Grandoreiro banking Trojan, making it a more evasive and effective threat.
These can be summarized as follows:
- Reworked and improved channel decryption algorithm using a combination of AES CBC and a custom decoder.
- Updates to the Domain Generation Algorithm (DGA) which now includes multiple seeds to separate command and control (C2) communications from operator tasks.
- New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing attacks to new targets.
- New persistence mechanism based on the creation of registry Run keys (‘HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run’ and ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run’)
- Expanding banking app targeting and including cryptocurrency wallets.
- Expanded command set, now including remote control, file upload/download, keyboard recording, and browser manipulation via JavaScript commands.
Another notable new feature is Grandoreiro’s ability to perform detailed victim profiling and decide whether or not it will run on-device, giving operators greater control over their targeting scope.
IBM analysts report that the latest version of the Trojan prevents its execution in some countries such as Russia, Czechia, the Netherlands and Poland, as well as on Windows 7 machines in the United States where no antivirus software is available. ‘is active.
The above makes it clear that despite recent police measures, Grandoreiro is very much alive and, unfortunately, he seems stronger than ever.
Update: This article incorrectly stated that the malware was intended for Android.
News Source : www.bleepingcomputer.com
Gn tech
