Grandoreiro Banking Trojan back, targets 1,500+ banks globally

May 20, 2024
1 min read




Grandoreiro Banking Trojan Resurfaces

TLDR:

  • Grandoreiro banking trojan has resurfaced targeting over 1,500 banks worldwide
  • Phishing emails lead to the download of a ZIP archive with the Grandoreiro loader executable

The threat actors behind the Windows-based Grandoreiro banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While Grandoreiro is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to shut down its infrastructure by Brazilian authorities.

Significant improvements to the malware itself have been noted, with major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The attacks start with phishing emails instructing recipients to click on a link to view an invoice or make a payment, leading to the download of a ZIP archive with the Grandoreiro loader executable. This loader is designed to bypass anti-malware scanning software and ensure the compromised host is not in a sandboxed environment.

The trojan component establishes persistence via the Windows Registry and employs a reworked DGA to establish connections with a command-and-control (C2) server. Grandoreiro allows threat actors to remotely commandeer the system, carry out file operations, and enable special modes, including spamming via Microsoft Outlook data. Utilizing the local Outlook client for spamming enables the trojan to spread through infected victim inboxes via email, contributing to the large amount of spam volume observed from Grandoreiro.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and