Finance & Banking , Fraud Management & Cybercrime , Industry Specific
Grandoreiro Banking Trojan Reappears After January Takedown
New Campaign Targets Over 1,500 Banks WorldwideDespite a law enforcement takedown in January, researchers identified new phishing campaigns spreading the Grandoreiro banking Trojan, indicating its return as a malware-as-a-service tool with better encryption and a better domain name generator, according to IBM X-Force researchers.
See Also: Software Supply Chain Platform for Financial Services
IBM X-Force found that since March 2024, the Grandoreiro banking Trojan has resurfaced in large-scale phishing campaigns, containing technical updates that enable the malware to use infected Microsoft Outlook clients to propagate further phishing emails.
The comeback of Grandoreiro followed a major law enforcement operation in January in which Brazilian authorities arrested five individuals linked to the Trojan's development and deployment.
The new variant has targeted over 1,500 banks globally, supporting financial fraud in more than 60 countries across Central and South America, Africa, Europe and the Indo-Pacific.
The initial Grandoreiro campaigns focused on Latin America, Spain and Portugal. Researchers at X-Force observed recent phishing emails impersonating government entities, including Mexico's Tax Administration Service, the Federal Electricity Commission, the Revenue Service of Argentina and the South African Revenue Service. This shift suggests a strategic expansion of Grandoreiro's reach, likely driven by the recent law enforcement actions.
New Campaigns
Since March 2024, phishing campaigns by the operators of the Grandoreiro banking Trojan impersonated Mexico's SAT, CFE and the Secretary of Administration and Finance, targeting users in Mexico, Colombia and Chile.
The phishing emails urge recipients to view invoices or compliance notices by clicking embedded links. These links download a zip file containing an executable disguised as a PDF icon, initiating the malware infection.
Researchers observed that the campaigns are now expanding beyond Latin America, targeting countries such as Spain, Japan, the Netherlands and Italy. A notable campaign impersonates the South African Revenue Service in emails that prompt users to download a zip file containing the Grandoreiro loader executable.
The Grandoreiro infection begins with a custom loader that performs three primary tasks: verifying the victim, collecting basic victim data and downloading the Grandoreiro banking Trojan. It employs advanced string decryption, generating a key string that undergoes multiple rounds of decryption to retrieve plaintext strings.
The loader verifies the victim by collecting system information and checking against hard-coded values to avoid sandboxes and specific countries. It profiles the victim by gathering details including IP address, computer name, OS version, installed antivirus solutions and crypto wallets. This data is sent to the C2 server.
Grandoreiro's C2 server uses a sophisticated domain generation algorithm, resolving domains via DNS over HTTPS. The loader communicates with the C2 server to download the final payload, using encrypted messages to request and receive the Trojan.
The algorithm generates domain names, which the malware uses to communicate with its C2 server. These domains are resolved and translated from domain names to IP addresses using DNS over HTTPS - a protocol that enhances privacy and security by encrypting DNS queries, making it harder for attackers or other third parties to intercept or manipulate the DNS traffic.
The Grandoreiro banking Trojan includes updates to its string decryption and DGA algorithms, targeting numerous banking applications globally. It establishes persistence through Windows registry keys and spreads through Outlook by harvesting email addresses and sending phishing emails from the victim's account.
In January, Brazilian authorities, assisted by Interpol and cybersecurity firm Kaspersky, arrested five individuals linked to the Grandoreiro operation. These suspects allegedly laundered stolen money through money mules, transferring funds to Brazil. Kaspersky estimated that the group stole at least 3.5 million euros.