In cyberspace populated with hacking risks, the reappearance of the Grandoreiro banking trojan is alarming evidence of malicious activity resurfacing. Following a law enforcement crackdown earlier this year, the threat actors behind this Windows-based trojan have launched a global campaign since March 2024, targeting over 1,500 banks across 60 countries worldwide, according to IBM X-Force.
Grandoreiro, notorious for its focus on Latin America, Spain, and Portugal, has expanded its reach exponentially, employing large-scale phishing attacks facilitated by a malware-as-a-service (MaaS) model. This modus operandi enables cybercriminals to orchestrate sophisticated attacks with ease, casting a wide net of deception and financial theft.
The modus operandi is alarmingly simple yet effective: phishing emails lure unsuspecting recipients with promises of invoices or payment requests, leveraging the guise of government entities. As soon as the user takes the bait and clicks on the link offered, they find themselves on a website where they are asked to download an innocuous PDF file, which, in fact, is infected with the Grandoreiro loader executable file.
This loader, cunningly disguised within a bloated ZIP archive to evade anti-malware scans, meticulously verifies its environment to ensure it’s not being scrutinized in a sandboxed environment. Once settled, it establishes contact with a command-and-control (C2) server, paving the way for the deployment of the main banking trojan.
The sophistication of Grandoreiro does not stop there. Recent analysis reveals significant updates to its arsenal, including enhanced string decryption and domain generating algorithms (DGA). Most notably, it now harnesses Microsoft Outlook clients on infected hosts to propagate further phishing emails, amplifying its reach and potency.
Moreover, Grandoreiro boasts a plethora of commands, allowing threat actors to remotely control infected systems, manipulate files, and even exploit victim’s email accounts to disseminate spam messages. By leveraging the local Outlook client, Grandoreiro infiltrates victim inboxes, perpetuating its insidious cycle of infection and exploitation.
As cybersecurity experts race to counter this evolving threat, the resurgence of Grandoreiro serves as a clear reminder of the persistent threats that lurk in the digital realm. It urges vigilance and proactive defense measures to safeguard against the relentless onslaught of cybercrime.
