The cybercriminal group behind the Grandoreiro banking trojan has re-emerged in a global campaign since March 2024, following a significant law enforcement takedown earlier this year. This large-scale phishing operation targets over 1,500 banks across more than 60 countries, spanning Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-ForceIBM X-Force.
Originally focused on Latin America, Spain, and Portugal, Grandoreiro’s new campaign signifies a strategic shift after Brazilian authorities disrupted its infrastructure.
Despite a major takedown in January 2024, which saw the Brazilian Federal Police, Interpol, the Spanish National Police, ESET, and Caixa Bank dismantle the operation and arrest five individuals, the malware has returned with significant upgrades.
The phishing emails associated with Grandoreiro masquerade as urgent government payment requests, prompting recipients to click on links that download and execute malicious files.
Once installed, the trojan interacts with banking apps to facilitate fraudulent transactions, logs keystrokes and captures screenshots to steal banking credentials and sensitive data. It also allows remote system manipulation and file operations by threat actors.
A key enhancement in the latest version is a module that captures Microsoft Outlook data and uses compromised email accounts to spread spam.
Grandoreiro employs the Outlook Security Manager tool to bypass security alerts, enabling seamless interaction with the Outlook client.
IBM X-Force reports substantial improvements to the malware’s evasion techniques, including a string decryption method using AES CBC encryption with a unique decoder. The domain generation algorithm (DGA) has been upgraded with multiple seeds to enhance command and control (C2) communications.
The trojan can also disable security alerts in Outlook and send phishing emails using compromised credentials.
The updated Grandoreiro evades execution in several countries, including Poland, the Czech Republic, the Netherlands, and Russia. It also blocks operation on Windows 7 systems in the US without an active antivirus program, demonstrating its resilience and increased persistence.
To combat the threat of Grandoreiro
Organizations are advised to prioritize user education on phishing tactics. Employees should be trained to recognize suspicious emails, verify sender legitimacy, and avoid clicking on unknown links or opening untrusted attachments. Robust spam filtering systems at the gateway level can intercept many phishing emails, while behavior-based detection techniques in endpoint security systems can identify and stop harmful activities.
As phishing attacks rise, protecting organizations becomes crucial.
Enhancing user awareness is key, and resources like Phishing Tackle offer tools and training to help users recognize and avoid phishing threats. Despite technological defenses, user education remains vital in minimizing the impact of successful attacks. Consulting with experts can provide valuable insights and tools to strengthen defenses against these persistent threats.
