Adrian Johnson
TLDR:
- Grandoreiro banking trojan has resurfaced targeting over 1,500 banks worldwide
- Phishing emails lead to the download of a ZIP archive with the Grandoreiro loader executable
The threat actors behind the Windows-based Grandoreiro banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While Grandoreiro is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to shut down its infrastructure by Brazilian authorities.
Significant improvements to the malware itself have been noted, with major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The attacks start with phishing emails instructing recipients to click on a link to view an invoice or make a payment, leading to the download of a ZIP archive with the Grandoreiro loader executable. This loader is designed to bypass anti-malware scanning software and ensure the compromised host is not in a sandboxed environment.
The trojan component establishes persistence via the Windows Registry and employs a reworked DGA to establish connections with a command-and-control (C2) server. Grandoreiro allows threat actors to remotely commandeer the system, carry out file operations, and enable special modes, including spamming via Microsoft Outlook data. Utilizing the local Outlook client for spamming enables the trojan to spread through infected victim inboxes via email, contributing to the large amount of spam volume observed from Grandoreiro.
