Grandoreiro Banking Trojan back, targets 1,500+ banks globally

May 20, 2024
1 min read

Grandoreiro Banking Trojan Resurfaces


  • Grandoreiro banking trojan has resurfaced targeting over 1,500 banks worldwide
  • Phishing emails lead to the download of a ZIP archive with the Grandoreiro loader executable

The threat actors behind the Windows-based Grandoreiro banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While Grandoreiro is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to shut down its infrastructure by Brazilian authorities.

Significant improvements to the malware itself have been noted, with major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The attacks start with phishing emails instructing recipients to click on a link to view an invoice or make a payment, leading to the download of a ZIP archive with the Grandoreiro loader executable. This loader is designed to bypass anti-malware scanning software and ensure the compromised host is not in a sandboxed environment.

The trojan component establishes persistence via the Windows Registry and employs a reworked DGA to establish connections with a command-and-control (C2) server. Grandoreiro allows threat actors to remotely commandeer the system, carry out file operations, and enable special modes, including spamming via Microsoft Outlook data. Utilizing the local Outlook client for spamming enables the trojan to spread through infected victim inboxes via email, contributing to the large amount of spam volume observed from Grandoreiro.

Latest from Blog

Boosting Indonesia’s Cybersecurity Post Ransomware Attacks

Strengthening Indonesia‚Äôs Cybersecurity Defenses In Wake Of Ransomware Attacks TLDR: – Recent ransomware attack on Indonesia’s National Data Centre highlights need for strong cybersecurity measures – Key recommendations include regular security audits,

Simplify your workload with AI-powered threat intelligence reports

TLDR: Cybersecurity professionals face challenges managing workloads, budgets, and attack surfaces. AI-driven threat intelligence reporting tool, IQ Report Generator by Cybersixgill, helps automate and streamline the reporting process. Article Summary: Cybersecurity professionals