New versions of the banking malware called Grandoreira have been found to be using new tactics in an attempt to circumvent anti-fraud measures, indicating that the malware continues to be actively developed despite efforts by law enforcement to shut down the operation.
“Only part of this gang has been arrested: the remaining operators behind Grandoreiro continue to attack users around the world, developing new malware and building new infrastructure,” Kaspersky said. said in an analysis published on Tuesday.
Some of the other newly incorporated techniques include the use of Domain Generation Algorithm (DGA) for command-control (C2) communication, ciphertext theft (CTS) encryption and mouse tracking. There are also “lite local versions” that are specifically targeted at bank customers in Mexico.
Grandoreirawhich has been active since 2016, has consistently evolved over time, making efforts to remain unnoticed while expanding its geography to Latin America and Europe. It is capable of stealing credentials for 1,700 financial institutions located in 45 countries and territories.
It is said to operate on a Malware-as-a-Service (MaaS) model, although evidence suggests that it is only offered to select cybercriminals and trusted partners.
One of the most significant developments this year regarding Grandoreiro has been the arrests of some members of the group, an event that led to the fragmentation of the malware’s Delphi codebase.
“This discovery is supported by the existence of two different codebases in simultaneous campaigns: new samples with updated code and old samples that rely on an outdated codebase, now targeting only users in Mexico — customers of about 30 banks,” Kaspersky said.
Grandoreiro is mainly distributed via phishing emails and to a lesser extent via malicious Google ads. The first step is a ZIP file, which in turn contains a legitimate file and an MSI loader responsible for downloading and running the malware.
Companies monitored in 2023 were found to be using extremely large portable executables with a file size of 390MB, masquerading as AMD External Data SSD drivers to bypass sandboxes and fly under the radar.
The banking malware is equipped with features to collect host information and IP address location data. It also retrieves the username and checks if it contains the strings “John” or “WORK” and if so, stops its execution.
“Grandoreiro is looking for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan and CrowdStrike,” the company said. “He is also looking at bank security software such as Topaz OFD and Trusteer.”
Another important feature of the malware is checking the presence of certain web browsers, email clients, VPNs and cloud storage applications in the system and monitoring user activity in these applications. In addition, it can act as clipper to redirect cryptocurrency transactions to wallets controlled by the threat actor.
New attack chains discovered after this year’s arrests include a CAPTCHA barrier before executing the main payload as a way to bypass automatic analysis.
The latest version of Grandoreiro also received significant updates, including the ability to self-update, record keystrokes, select a country for the victim list, detect banking security solutions, use Outlook to send spam, and monitor Outlook emails for specific keywords.
It is also equipped to capture mouse movements, signaling an attempt to mimic user behavior and trick anti-fraud systems into identifying the activity as legitimate.
“This discovery highlights the continued evolution of malware like Grandoreiro, where attackers are increasingly using tactics designed to counter modern security solutions that rely on behavioral biometrics and machine learning,” the researchers said.
Once the credentials are obtained, threat actors withdraw funds to accounts owned by local money mules using money transfer programs, cryptocurrency, gift cards, or ATMs. The mules are identified through telegram channels and are paid $200 to $500 a day.
Remote access to the victim machine is provided using the Delphi-based Operator tool, which displays a list of victims whenever they start browsing the target financial institution’s website.
“The threat actors behind the Grandoreiro banking malware are constantly improving their tactics and malware to successfully attack their targets and evade security solutions,” Kaspersky said.
“Brazilian banking Trojans are already an international threat; they fill the gaps left by Eastern European groups that have switched to ransomware.”
