This time the malware went far beyond Latin America…
The hacker group behind the Grandoreiro banking Trojan for Windows has resumed its global campaign since March 2024, following a law enforcement operation to dismantle its infrastructure in January.
According to IBM X-Force, large-scale phishing attacks, probably carried out by other cybercriminals using the "malware-as-a-service" model (MaaS), target more than 1,500 banks worldwide from more than 60 countries in Central and South America, Africa, Europe and India.Of the Pacific region.
Although Grandoreiro initially focused on Latin America, Spain and Portugal, the current expansion is likely a change of strategy following attempts by the Brazilian authorities to shut down the malware's infrastructure.
Along with expanding the scope of attacks, the malware itself has undergone significant improvements, which indicates its active development. "The malware analysis revealed major updates in the string decryption and domain generation (DGA) algorithms, as well as the ability to use Microsoft Outlook clients on infected hosts to further send phishing emails," said researchers Golo Mühr and Melissa Frydrych.
Attacks start with phishing emails instructing recipients to click on a link to view an invoice or make a payment, depending on the bait used and the simulated government agency.
Victims who click on the link are redirected to the image of the PDF icon, which eventually leads to downloading a ZIP archive with the Grandoreiro executable loader. This special loader is artificially inflated to more than 100 MB to bypass anti-virus scanning. It also checks whether the compromised host is in the sandbox, collects the victim's basic data to the monitoring and control server (C2), and launches the main Trojan.
It is worth noting that this stage of verification also skips systems located in Russia, the Czech Republic, Poland, the Netherlands, as well as Windows 7 machines from the United States without antivirus installed.
The main component of the Trojan starts working by establishing a permanent presence through the Windows registry, after which it uses a redesigned domain generation algorithm to connect to the C2 server and receive further instructions.
Grandoreiro supports various commands that allow attackers to remotely control the system, perform file operations, and activate special modes, including a new module for collecting Microsoft Outlook data and abusing the victim's email account to send spam to other targets.
"To interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, an Outlook add-in development software," the researchers explained. "The main reason is that Outlook Object Model Guard issues security warnings when access to protected objects is detected."
"By using a local Outlook client to send spam, Grandoreiro can spread through infected victims' email inbox, which is likely contributing to the high volume of spam seen from Grandoreiro."
The hacker group behind the Grandoreiro banking Trojan for Windows has resumed its global campaign since March 2024, following a law enforcement operation to dismantle its infrastructure in January.
According to IBM X-Force, large-scale phishing attacks, probably carried out by other cybercriminals using the "malware-as-a-service" model (MaaS), target more than 1,500 banks worldwide from more than 60 countries in Central and South America, Africa, Europe and India.Of the Pacific region.
Although Grandoreiro initially focused on Latin America, Spain and Portugal, the current expansion is likely a change of strategy following attempts by the Brazilian authorities to shut down the malware's infrastructure.
Along with expanding the scope of attacks, the malware itself has undergone significant improvements, which indicates its active development. "The malware analysis revealed major updates in the string decryption and domain generation (DGA) algorithms, as well as the ability to use Microsoft Outlook clients on infected hosts to further send phishing emails," said researchers Golo Mühr and Melissa Frydrych.
Attacks start with phishing emails instructing recipients to click on a link to view an invoice or make a payment, depending on the bait used and the simulated government agency.
Victims who click on the link are redirected to the image of the PDF icon, which eventually leads to downloading a ZIP archive with the Grandoreiro executable loader. This special loader is artificially inflated to more than 100 MB to bypass anti-virus scanning. It also checks whether the compromised host is in the sandbox, collects the victim's basic data to the monitoring and control server (C2), and launches the main Trojan.
It is worth noting that this stage of verification also skips systems located in Russia, the Czech Republic, Poland, the Netherlands, as well as Windows 7 machines from the United States without antivirus installed.
The main component of the Trojan starts working by establishing a permanent presence through the Windows registry, after which it uses a redesigned domain generation algorithm to connect to the C2 server and receive further instructions.
Grandoreiro supports various commands that allow attackers to remotely control the system, perform file operations, and activate special modes, including a new module for collecting Microsoft Outlook data and abusing the victim's email account to send spam to other targets.
"To interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, an Outlook add-in development software," the researchers explained. "The main reason is that Outlook Object Model Guard issues security warnings when access to protected objects is detected."
"By using a local Outlook client to send spam, Grandoreiro can spread through infected victims' email inbox, which is likely contributing to the high volume of spam seen from Grandoreiro."
