Sunday, June 23, 2024
HomeCyber SecurityGrandoreiro Banking Trojan Resurfaces, Focusing on Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Focusing on Over 1,500 Banks Worldwide

Might 19, 2024NewsroomBanking Troja / E mail Safety

Grandoreiro Banking Trojan

The menace actors behind the Home windows-based Grandoreiro banking trojan have returned in a worldwide marketing campaign since March 2024 following a regulation enforcement takedown in January.

The massive-scale phishing assaults, probably facilitated by different cybercriminals through a malware-as-a-service (MaaS) mannequin, goal over 1,500 banks internationally, spanning greater than 60 international locations in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Pressure mentioned.

Whereas Grandoreiro is understood primarily for its focus in Latin America, Spain, and Portugal, the enlargement is probably going a shift in technique after makes an attempt to shut down its infrastructure by Brazilian authorities.

Going hand-in-hand with the broader focusing on footprint are vital enhancements to the malware itself, which signifies lively growth.


“Evaluation of the malware revealed main updates throughout the string decryption and area producing algorithm (DGA), in addition to the power to make use of Microsoft Outlook shoppers on contaminated hosts to unfold additional phishing emails,” safety researchers Golo Mühr and Melissa Frydrych mentioned.

The assaults start with phishing emails that instruct recipients to click on on a hyperlink to view an bill or make a fee relying on the character of the lure and the federal government entity impersonated within the messages.

Grandoreiro Banking Trojan

Customers who find yourself clicking on the hyperlink are redirected to a picture of a PDF icon, finally resulting in the obtain of a ZIP archive with the Grandoreiro loader executable.

The customized loader is artificially inflated to greater than 100 MB to bypass anti-malware scanning software program. It is also answerable for guaranteeing that the compromised host shouldn’t be in a sandboxed surroundings, gathering primary sufferer information to a command-and-control (C2) server, and downloading and executing the principle banking trojan.

It is price declaring that the verification step can also be performed to skip methods geolocated to Russia, Czechia, Poland, and the Netherlands, in addition to Home windows 7 machines primarily based within the U.S. with no antivirus put in.

The trojan part begins its execution by establishing persistence through the Home windows Registry, after which it employs a reworked DGA to ascertain connections with a C2 server to obtain additional directions.


Grandoreiro helps a wide range of instructions that enable the menace actors to remotely commandeer the system, perform file operations, and allow particular modes, together with a brand new module that gathers Microsoft Outlook information and abuses the sufferer’s electronic mail account to blast spam messages to different targets.

“As a way to work together with the native Outlook shopper, Grandoreiro makes use of the Outlook Safety Supervisor instrument, a software program used to develop Outlook add-ins,” the researchers mentioned. “The primary purpose behind that is that the Outlook Object Mannequin Guard triggers safety alerts if it detects entry on protected objects.”

Grandoreiro Banking Trojan

“Through the use of the native Outlook shopper for spamming, Grandoreiro can unfold by way of contaminated sufferer inboxes through electronic mail, which probably contributes to the massive quantity of spam quantity noticed from Grandoreiro.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments