Recent Grandoreiro Banking Malware Versions Surface with Sophisticated Strategies to Dodge Identification
Advanced versions of a banking threat known as Grandoreiro have been identified to utilize innovative strategies to circumvent anti-fraud measures, implying that the malicious software remains actively developed despite enforcement efforts to dismantle the operation.
In an analysis published on Tuesday, Kaspersky mentioned, “Just a portion of this gang has been apprehended, the remaining Grandoreiro operators persist in attacking global users, evolving new malware, and establishing new networks.”
Among the recently deployed methods are the utilization of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. Additionally, there are also “lighter, localized versions” aimed specifically at bank customers in Mexico.
Grandoreiro, operational since 2016, has consistently adapted over time, making efforts to remain unnoticed while broadening its reach to Latin America and Europe. It’s capable of retrieving credentials for 1,700 financial entities across 45 countries and territories.
It is reported to function according to the malware-as-a-service (MaaS) model, yet signs indicate that it’s exclusively available to specific cybercriminals and trusted associates.
One major development this year related to Grandoreiro involves the arrests of some group members, resulting in the fracturing of the malware’s Delphi codebase.
“This discovery is supported by the presence of two separate codebases in concurrent campaigns: recent samples incorporating modernized code and older samples relying on the original codebase, now targeting solely Mexican users — patrons of approximately 30 banks,” stated Kaspersky.
Distribution of Grandoreiro is primarily achieved through phishing emails and to a lesser extent via malicious ads displayed on Google. The initial step involves a ZIP file containing a legitimate file and an MSI loader responsible for fetching and running the malware.
Campaigns noted in 2023 were discovered to employ very large portable executables with a filesize of 390 MB, posing as AMD External Data SSD drivers to evade sandboxes and remain inconspicuous.
The banking malware is furnished with capabilities to collect host information and IP address location data. It also fetches the username and verifies if it includes the terms “John” or “WORK,” pausing execution accordingly.
“Grandoreiro actively seeks out anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike,” communicated the company. “Additionally, it scans for banking security software like Topaz OFD and Trusteer.”
Another significant aspect of the malware is its check for existing web browsers, email clients, VPN, and cloud storage applications on the system, monitoring user actions across those platforms. Moreover, it can function as a clipper to redirect cryptocurrency transactions to wallets controlled by the threat actor.
Recently identified attack sequences post the arrests this year include implementing a CAPTCHA obstacle before the primary payload execution as a method to evade automated analysis.
The latest edition of Grandoreiro has undergone substantial enhancements, encompassing self-updating capabilities, keystroke logging, country selection to list victims, identification of banking security solutions, utilization of Outlook for sending spam emails, and monitoring Outlook correspondence for predefined keywords.
Additionally, it is equipped to capture mouse movements, signaling an effort to emulate user behavior and deceive anti-fraud systems into recognizing the activity as authentic.
“This discovery accentuates the continuous evolvement of malware like Grandoreiro, with attackers increasingly introducing tactics tailored to outsmart contemporary security measures relying on behavioral biometrics and machine learning,” indicated the researchers.
Upon obtaining the credentials, threat actors transfer the funds to accounts held by local money mules through transfer apps, cryptocurrencies, gift cards, or ATMs. These mules are identified via Telegram channels, receiving $200 to $500 daily.
Remote access to the victim’s device is facilitated by a Delphi-based tool named Operator, displaying a list of targets when they access a targeted financial institution’s website.
“The cybercriminals behind the Grandoreiro banking malware are persistently adjusting their strategies and malware to effectively carry out attacks on their targets and elude security measures,” remarked Kaspersky.
“Brazilian banking trojans are already recognized as a global threat; they are stepping into the space left by Eastern European groups who have transitioned to ransomware.”
About Author
