Grandoreiro Malware Resurfaces, Targeting Bank Accounts Worldwide

Grandoreiro, a banking trojan, has made a comeback, deploying a widespread phishing campaign that now reaches over 60 countries and targets customer accounts from approximately 1,500 banks. 

The malware operation – causing $120 million in losses and targeting Spanish-speaking countries – had been disrupted in January 2024 after a joint operation by Brazilian and Spanish authorities, Interpol, cybersecurity firm ESET, and Caixa Bank. 

Even though multiple arrests and seizures occurred in Brazil, it seems like the masterminds behind Grandoreiro managed to evade capture, as indicated by the malware’s recent sophisticated updates. 

Grandoreiro targeted bank apps by country (Source: IBM)

Phishing Campaigns Tailored to Target Organizations

According to a report from IBM’s X-Force team, Grandoreiro has resumed extensive operations since March 2024. The malware is possibly being leased to cybercriminals through a Malware-as-a-Service (MaaS) model and now targets English-speaking countries as well.

The phishing emails mimic communications from governmental bodies in Mexico, Argentina, and South Africa, particularly tax and revenue services and federal electricity commissions. They are meticulously crafted to look authentic, complete with official logos and are written in the native languages of the recipients. 

Phishing email targeting Argentinian people (Source: IBM)

These emails prompt recipients to click on links supposedly leading to important documents like invoices or tax records. However, clicking these links initiates a download of a deceptive PDF image, which in turn downloads a ZIP file containing the malicious Grandoreiro loader.

Advanced Capabilities of the Updated Grandoreiro Trojan

The latest version of Grandoreiro shows significant technical enhancements that make it a more formidable threat than before. Among the notable upgrades are:

• A refined string decryption algorithm that combines AES CBC with a custom decoder.

• An improved domain generation algorithm (DGA) that now incorporates multiple seeds, helping segregate command and control communications from operator tasks.

• An innovative approach targeting Microsoft Outlook users, where it disables security alerts and uses compromised accounts to send out phishing emails.

• A new persistence mechanism that involves creating registry Run keys to ensure the trojan reloads upon system restart.

Grandoreiro now not only targets banking apps but also cryptocurrency wallets. The trojan’s capabilities have also been extended to include remote control of the infected device, file uploading and downloading, keylogging, and manipulating browser sessions through JavaScript commands.

Moreover, it is programmed to perform detailed profiling of potential victims and decides whether to execute based on the device’s geographic location and specific system characteristics.

IBM’s analysts say that Grandoreiro’s latest version avoids execution in countries like Russia, Czechia, the Netherlands, and Poland, as well as on outdated systems like Windows 7 in the United States without active antivirus software.

Final Word

As Grandoreiro spreads its tentacles further, particularly into English-speaking regions, the importance of vigilance and proactive security measures has never been more important, for both individuals and organizations alike.

Related Reads:

• Malware vs. Virus: What’s the Difference?
• What are Phishing and Smishing Attacks?
• How to Protect Yourself from Keylogging