Latest Varieties of Grandoreiro Banking Malware Manifest with Sophisticated Techniques for Avoiding Detection
Novel forms of a banking malware known as Grandoreiro have been discovered to utilize innovative strategies to dodge detection methods, suggesting that the harmful program is actively undergoing enhancements despite efforts by authorities to dismantle the operation.
“A segment of this syndicate was apprehended: the remaining perpetrators behind Grandoreiro continue to assault users globally, further enhancing new malicious software and setting up fresh infrastructure,” Kaspersky stated in a report released on Tuesday.
Some of the recently incorporated ploys involve employing a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. There are also indications of “streamlined, localized versions” concentrating on targeting banking clients in Mexico.
Grandoreiro, operational since 2016, has consistently progressed over time, striving to go unnoticed, while extending its reach to Latin America and Europe. It is capable of filching credentials for 1,700 financial institutions, situated in 45 nations and territories.
It is reported to function under the malware-as-a-service (MaaS) model, although indications suggest it is exclusively offered to certain cybercriminals and trusted associates.
One of the noteworthy advancements this year with respect to Grandoreiro is the detentions of some group members, an incident which has led to the division of the malware’s Delphi codebase.
“This revelation is corroborated by the existence of two distinct codebases in concurrent campaigns: more recent samples showcasing updated code, and older samples leveraging the legacy codebase, now targeting solely users in Mexico — patrons of roughly 30 banks,” as mentioned by Kaspersky.
Grandoreiro is predominantly disseminated through a phishing email, and to a lesser extent, via malicious advertisements displayed on Google. The initial phase comprises a ZIP file, which houses a legitimate file along with an MSI loader responsible for downloading and initiating the malware.
Campaigns identified in 2023 have been noted to leverage exceedingly large portable executables with a file size of 390 MB by posing as AMD External Data SSD drivers to elude sandboxes and go undetected.
The banking malware comes equipped with functionalities to compile host details and IP address location data. It also extracts the username and scans for occurrences of “John” or “WORK,” pausing execution if found.
“Grandoreiro scans for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike,” the company stated. “It also searches for banking security software, like Topaz OFD and Trusteer.”
Another notable feature of the malware is verifying the presence of specific web browsers, email clients, VPNs, and cloud storage apps on the system, tracking user activities across these apps. Moreover, it can operate as a clipper to divert cryptocurrency transactions to wallets controlled by the threat actor.
Newer attack sequences detected following the apprehensions this year involve a CAPTCHA obstacle before the start of the primary payload to circumvent automated scrutiny.
The recent edition of Grandoreiro has also received substantial enhancements, including the capability for self-updating, logging keystrokes, choosing the country for listing victims, identifying banking security solutions, leveraging Outlook to dispatch spam emails and monitoring Outlook emails for specific terms.
It is also capable of tracking mouse movements, suggesting an effort to imitate user behavior and deceive anti-fraud systems into interpreting the activity as legitimate.
“This revelation underscores the continuous evolution of malware like Grandoreiro, where attackers are progressively assimilating methods designed to counter contemporary security solutions dependent on behavioral biometrics and machine learning,” the researchers remarked.
Once the credentials are acquired, the malefactors transfer the funds to accounts owned by local money mules via transfer apps, cryptocurrencies, or gift cards, or an ATM. The mules are identified via Telegram channels, receivers of $200 to $500 daily.
Remote access to the victim’s machine is facilitated using an Operator, a Delphi-based tool that displays a roster of victims when they begin browsing a specific financial institution’s website.
“The threat actors orchestrating the Grandoreiro banking malware are consistently adapting their strategies and malware to effectively execute attacks against targets and avoid security solutions,” Kaspersky acknowledged.
“Brazilian banking trojans have already become a global menace, filling the gaps left by Eastern European syndicates that have transitioned to ransomware.”
About Author
