In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses.
IBM's X-Force team reports that Grandoreiro appears to have returned to large-scale operations since March 2024, likely rented to cybercriminals via a Malware-as-a-Service model, and now targeting English-speaking countries too.
The trojan itself has undergone a technical revamp that added many new powerful features and improvements, indicating that its creators evaded arrest and weren't deterred by the previous crackdown.
Since multiple threat actors rent the malware, the phishing lures are diverse and crafted specifically for the organizations a particular cybercriminal is targeting.
Phishing emails seen by IBM impersonate government entities in Mexico, Argentina, and South Africa, mainly tax administration organizations, revenue services, and federal electricity commissions.
When recipients click on those emails, they are redirected to an image of a PDF that triggers the download of a ZIP file containing a bloated executable, which is the Grandoreiro loader.
IBM X-Force noticed several new features and significant updates in the latest variant of the Grandoreiro banking trojan, making it a more evasive and effective threat.
Updates on the domain generation algorithm which now includes multiple seeds to separate the command and control communications with operator tasks.
New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing to new targets.
New persistence mechanism relying on the creation of registry Run keys Expansion of targeting bank applications and inclusion of cryptocurrency wallets.
Expansion of the command set, now including remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands.
Another notable new feature is Grandoreiro's ability to perform detailed victim profiling and decide whether or not it will execute on the device, which gives operators better control of their targeting scope.
IBM analysts report that the latest version of the trojan avoids execution in specific countries like Russia, Czechia, the Netherlands, and Poland, as well as on Windows 7 machines in the United States where no antivirus is active.
The above clearly indicates that despite the recent law enforcement action, Grandoreiro is alive and kicking, and unfortunately, it looks stronger than ever.
Update: This article incorrectly said the malware was for Android.
Finland warns of Android malware attacks breaching bank accounts.
SoumniBot malware exploits Android bugs to evade detection.
Millions of Docker repos found pushing malware, phishing sites.
New Latrodectus malware attacks use Microsoft, Cloudflare themes.
New Brokewell malware takes over Android devices, steals data.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 18 May 2024 22:20:28 +0000