Banking malware Grandoreiro returns after police disruption

In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses.
IBM's X-Force team reports that Grandoreiro appears to have returned to large-scale operations since March 2024, likely rented to cybercriminals via a Malware-as-a-Service model, and now targeting English-speaking countries too.
The trojan itself has undergone a technical revamp that added many new powerful features and improvements, indicating that its creators evaded arrest and weren't deterred by the previous crackdown.
Since multiple threat actors rent the malware, the phishing lures are diverse and crafted specifically for the organizations a particular cybercriminal is targeting.
Phishing emails seen by IBM impersonate government entities in Mexico, Argentina, and South Africa, mainly tax administration organizations, revenue services, and federal electricity commissions.
When recipients click on those emails, they are redirected to an image of a PDF that triggers the download of a ZIP file containing a bloated executable, which is the Grandoreiro loader.
IBM X-Force noticed several new features and significant updates in the latest variant of the Grandoreiro banking trojan, making it a more evasive and effective threat.
Updates on the domain generation algorithm which now includes multiple seeds to separate the command and control communications with operator tasks.
New mechanism that targets Microsoft Outlook clients, disabling security alerts and using them to send phishing to new targets.
New persistence mechanism relying on the creation of registry Run keys Expansion of targeting bank applications and inclusion of cryptocurrency wallets.
Expansion of the command set, now including remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands.
Another notable new feature is Grandoreiro's ability to perform detailed victim profiling and decide whether or not it will execute on the device, which gives operators better control of their targeting scope.
IBM analysts report that the latest version of the trojan avoids execution in specific countries like Russia, Czechia, the Netherlands, and Poland, as well as on Windows 7 machines in the United States where no antivirus is active.
The above clearly indicates that despite the recent law enforcement action, Grandoreiro is alive and kicking, and unfortunately, it looks stronger than ever.
Update: This article incorrectly said the malware was for Android.
Finland warns of Android malware attacks breaching bank accounts.
SoumniBot malware exploits Android bugs to evade detection.
Millions of Docker repos found pushing malware, phishing sites.
New Latrodectus malware attacks use Microsoft, Cloudflare themes.
New Brokewell malware takes over Android devices, steals data.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 18 May 2024 22:20:28 +0000


Cyber News related to Banking malware Grandoreiro returns after police disruption

Banking malware Grandoreiro returns after police disruption - In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 ...
7 months ago Bleepingcomputer.com
Android malware Grandoreiro returns after police disruption - In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 ...
7 months ago Bleepingcomputer.com
What is Proposition E and Why Should San Francisco Voters Oppose It? - In addition to removing certain police oversight authority from the Police Commission and expanding the circumstances under which police may conduct high-speed vehicle chases, Proposition E would also amend existing laws passed in 2019 to protect San ...
10 months ago Eff.org
New Grandoreiro Malware Variant Targets Spain - Cybersecurity experts at Proofpoint have identified a new variant of the Grandoreiro malware, previously known for targeting victims in Brazil and Mexico. This latest version of Grandoreiro, attributed to the threat actor TA2725, has expanded its ...
1 year ago Infosecurity-magazine.com
San Francisco Police's Live Surveillance Yields Almost 200 Hours of Spying-Including of Music Festivals - A new report reveals that in just three months, from July 1 to September 30, 2023, the San Francisco Police Department racked up 193 hours and 19 minutes of live access to non-city surveillance cameras. That means for the equivalent of 8 days, police ...
10 months ago Eff.org
29 malware families target 1,800 banking apps worldwide - Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. This surge is accompanied by a dramatic growth in financial fraud. The research ...
11 months ago Helpnetsecurity.com
Threatening Emails Rattle Bengal Schools: Police Pursue Latvia Lead - In a statement announced Tuesday, the Kolkata Police said that more than 20 schools across the city have been threatened with bombs, which have been later revealed as hoaxes. According to the sender, bombs had been placed in numerous classrooms ...
8 months ago Cysecurity.news
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
10 months ago Securityintelligence.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
5 months ago Pandasecurity.com
How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
8 months ago Pandasecurity.com
'Coyote' Malware Begins Its Hunt, Preying on 61 Banking Apps - In all, it represents a notable evolution in Brazil's thriving market for financial malware - and could spell big trouble down the line for security teams if it expands its focus. It may be a Brazil-focused threat to consumers for now, but as ...
10 months ago Darkreading.com
Victory! Police Drone Footage is Not Categorically Exempt From California's Public Records Law - Video footage captured by police drones sent in response to 911 calls cannot be kept entirely secret from the public, a California appellate court ruled last week. The police department is the first law enforcement agency in the country to use drones ...
11 months ago Eff.org
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
9 months ago Blog.checkpoint.com
How to Extract Malware Configurations in a Sandbox - The most sought-after source of these indicators is malware configurations. Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to ...
10 months ago Gbhackers.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
7 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)