The notorious banking malware, has recently spawned new variants that employ innovative tactics to evade anti-fraud safeguards, underscoring the persistent development and adaptability of this malicious code in spite of regulatory crackdowns aimed at disrupting its operations.
“Solely a portion of those responsible for Grandoreiro were apprehended; meanwhile, other operators continued to target customers globally, creating new malware and building new infrastructure,” Kaspersky reported in its latest assessment.
A variety of newly incorporated tactics incorporate a website technology algorithm (Domain Generation Algorithm) for command-and-control (C2) transmissions, ciphertext exfiltration, and mouse tracking techniques. Noticed are lighter, native variations that could specifically focus on serving Mexican banking clients.
Since its inception in 2016, the entity has consistently evolved, adopting measures to evade detection while expanding its global reach to Latin America and Europe. The malware is capable of stealing login credentials from approximately 1,700 financial institutions spread across 45 countries and territories.
The malware operates under a malware-as-a-service (MaaS) model, with evidence suggesting it’s primarily distributed only to select cybercriminals and trusted partners.
This year’s pivotal development with regards to Grandoreiro is the arrest of several group members, a turning point that has precipitated the fragmentation of the malware’s Delphi codebase.
Kaspersky noted that this discovery is bolstered by the presence of two distinct codebases within simultaneous campaigns: one featuring up-to-date code and another reliant on legacy codebase, currently focused exclusively on Mexican customers – a client base of approximately 30 banks.
While Grandoreiro malware is initially spread through phishing emails, its distribution also involves malicious advertisements displayed on Google to a lesser degree. The initial package, comprising a ZIP archive, contains both the genuine executable file and an MSI installer responsible for delivering and executing the malicious software.
In 2023, researchers uncovered malicious campaigns utilizing unusually large portable executables, measuring in at a whopping 390 megabytes, by disguising themselves as AMD External Information SSD drivers to evade detection through sandboxing and stealthy operation.
The banking malware is equipped with features that enable it to gather host information and locate the victim’s IP address. The script also retrieves the username and verifies whether it matches either of the specific strings “John” or “WORK”; if so, it terminates its processing.
The company stated that Grandoreiro seeks out anti-malware options akin to AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike. “It also appears to cover banking security software, such as Topaz OFD and Trusteer.”
The malware also demonstrates a notable capability to detect the existence of certain internet browsers, email clients, Virtual Private Networks (VPNs), and cloud storage services on the system, subsequently monitoring user activity within these applications. Moreover, this malware could potentially function as a tool to redirect cryptocurrency transactions to wallets controlled by the malicious actor’s organization?
Recent malware variations have been discovered in the wake of arrests this year, featuring a CAPTCHA obstacle preceding the delivery of the primary payload as a means to circumvent automatic detection.
The latest iteration of Grandoreiro features enhanced capabilities, including autonomous updating, keystroke logging, customizable victim listing by country, advanced detection of banking security measures, the ability to send spam emails via Outlook, and real-time monitoring of Outlook emails for specific keywords.
Equipped with advanced capabilities to capture mouse actions, this sophisticated tool simulates human behavior, enabling it to convincingly mimic genuine user interactions and evade detection by anti-fraud systems.
“This breakthrough underscores the relentless metamorphosis of Grandoreiro malware, as cybercriminals increasingly employ tactics aimed at circumventing cutting-edge security measures reliant on behavioral analytics and artificial intelligence.”
Once credentials are compromised, criminals swiftly transfer stolen funds to bank accounts controlled by unsuspecting “money mules” using a combination of mobile payment apps, cryptocurrencies, prepaid debit cards, and ATMs. Mules are identified and paid through Telegram channels, earning between $200 and $500 daily.
The distant access to the compromised machine is enabled through a Delphi-based tool called Operator, which displays a list of affected users whenever they initiate a search for a targeted financial institution’s website.
The actors behind the Grandoreiro banking malware continuously refine their tactics and malicious code to effectively launch attacks against targets while circumventing security measures, according to Kaspersky.
“Brazilian banking Trojans have evolved into a global threat, exploiting vulnerabilities vacated by Japanese-European gangs that have shifted their focus to ransomware attacks.”
