Emergence of Fresh Grandoreiro Financial Institution Malware Varieties employing Pertinent Strategies to Bypass Detection
Numerous fresh versions of a financial institution malware referred to as Grandoreiro have been unearthed to adopt novel strategies in an endeavor to circumvent anti-fraud precautions, signifying that the malevolent software is still under constant development despite law enforcement endeavors to dismantle the operation.
As per an analysis published on Tuesday by Kaspersky, “Only a segment of this gang was apprehended: the remaining operators responsible for Grandoreiro persist in targeting users globally, constantly innovating new malware and setting up fresh network infrastructure.”
Amongst the recently integrated methods are the adoption of a domain generation algorithm (DGA) for communication pertaining to command-and-control (C2), ciphertext theft (CTS) encryption, and mouse monitoring. Additionally, the presence of “leaner, locale-based versions” that specifically focus on catering to financial institution customers in Mexico has been noticed.
Grandoreiro, active since 2016, has consistently transformed over time, striving to remain undercover, while also broadening its geographical reach to encompass Latin America and Europe. It has the ability to pilfer access credentials for 1,700 financial establishments situated in 45 different countries and territories.
It is believed to operate under the malware-as-a-service (MaaS) framework, although indications suggest it is only accessible to a select group of cybercriminals and trusted associates.
One of the key developments this year concerning Grandoreiro is the detention of several members of the group, an incident that has resulted in the division of the malware’s Delphi codebase.
“This discovery is corroborated by the existence of two separate codebases observed in concurrent campaigns: newer samples integrating up-to-date coding practices, and older samples leveraging the outdated codebase, now aiming solely at users in Mexico — patrons of approximately 30 banking institutions,” highlighted Kaspersky.
Grandoreiro is predominantly disseminated through phishing emails, and to a lesser extent, via malevolent advertisements served on Google. The initial phase comprises a ZIP file, within which resides a legitimate file alongside an MSI loader tasked with downloading and executing the malware.
The campaigns noted in 2023 have employed exceedingly large executable files with a size of 390 MB cunningly disguised as AMD External Data SSD drivers to evade sandboxes and loiter unnoticed.
The financial institution malware is loaded with functions to gather host information and IP address geolocation data. It also extracts the username and verifies for the presence of the terms “John” or “WORK,” suspending its operation if detected.
“Grandoreiro actively scans for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike,” mentioned the organization. “Additionally, it seeks out banking security applications like Topaz OFD and Trusteer.”
Another noteworthy feature of the malware is the inspection for specific web browsers, email clients, VPNs, and cloud storage apps on the system and monitoring user actions across those applications. Moreover, it can function as a clipper to redirect cryptocurrency transactions to wallets controlled by the malicious actor.
Newer attack paths noticed following the detentions this year include the imposition of a CAPTCHA hurdle before activating the primary payload as a mechanism to circumvent automated scrutiny.
The recent version of Grandoreiro has also received substantial enhancements, incorporating the capability to self-refresh, capture keystrokes, choose the country for listing victims, identify banking security products, employ Outlook to send unsolicited emails and discern targeted keywords in Outlook messages.
It is also configured to track mouse motions, indicating an endeavor to mimic user behavior and deceive anti-fraud systems into perceiving the activity as authentic.
“This revelation emphasizes the perpetual evolution of malware like Grandoreiro, where perpetrators are increasingly integrating strategies tailored to counter contemporary security solutions reliant on behavioral biometrics and artificial intelligence,” critiqued the researchers.
Upon obtaining the credentials, the threat actors transfer the funds to accounts owned by local money couriers via transfer apps, cryptocurrencies, gift vouchers, or an ATM. These couriers are pinpointed using Telegram channels and are remunerated $200 to $500 daily.
Remote access to the victim’s machine is facilitated through a Delphi-based utility named Operator that showcases a register of victims whenever they initiate browsing a targeted financial institution’s website.
“The malevolent actors orchestrating the Grandoreiro financial institution malware are ceaselessly refining their tactics and malware to effectively execute assaults against their victims and outmaneuver security protocols,” declared Kaspersky.
“Brazilian financial trojan threats have already transcended international borders; occupying the void left by Eastern European syndicates who have migrated to ransomware.”
About Author
