New Variants of Grandoreiro Banking Malware Emerge with Advanced Techniques to Evade Detection

New Variants of Grandoreiro Banking Malware Emerge with Advanced Techniques to Evade Detection

New variants of the Grandoreiro banking malware have been detected employing advanced tactics aimed at circumventing anti-fraud measures, signaling the ongoing development of this malicious software despite law enforcement crackdowns. According to an analysis released by Kaspersky, only a portion of the Grandoreiro gang was apprehended, and the remaining operators continue to target users globally while enhancing their malware capabilities.

Evolving Tactics and Enhanced Features

The newly discovered variants of Grandoreiro utilize several sophisticated techniques, including a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking functionalities. Notably, the malware now includes “lighter, local versions” specifically tailored to target banking customers in Mexico.

Active since 2016, Grandoreiro has consistently adapted to remain undetected while expanding its geographic reach across Latin America and Europe. It is capable of stealing credentials from approximately 1,700 financial institutions across 45 countries and operates under a malware-as-a-service (MaaS) model, primarily offered to select cybercriminals.

Impact of Recent Arrests

This year saw the arrest of several gang members, which led to a fragmentation of Grandoreiro’s Delphi codebase. Kaspersky noted the presence of two distinct codebases in ongoing campaigns: one featuring updated code and the other relying on legacy code, which now targets only users in Mexico associated with around 30 banks.

Distribution Methods and Attack Vectors

Grandoreiro is typically distributed through phishing emails, with a smaller portion spread via malicious advertisements on Google. The initial attack vector often involves a ZIP file containing a legitimate file alongside an MSI loader responsible for downloading and executing the malware.

In 2023, the malware campaigns have been noted to leverage particularly large portable executables, disguising themselves as AMD External Data SSD drivers to bypass sandbox security measures. This technique allows the malware to operate under the radar while gathering host information and extracting IP address data.

Self-Detection and Monitoring Capabilities

Grandoreiro features capabilities to identify usernames that include the strings "John" or "WORK," subsequently halting its execution if matched. The malware actively searches for various anti-malware solutions, including AVAST, Bitdefender, and Windows Defender, as well as banking security software like Topaz OFD and Trusteer.

Additionally, the malware can monitor user activity across applications, acting as a clipper to redirect cryptocurrency transactions to the attackers’ wallets. The recent variants also employ a CAPTCHA barrier before executing the main payload, further complicating automatic analysis by security tools.

Financial Exploitation and Future Threats

Once the malware successfully obtains user credentials, attackers typically cash out funds through local money mules identified via Telegram channels, compensating them between $200 and $500 per day. The criminals maintain remote access to victim machines using a Delphi-based tool called Operator, which lists victims as they navigate to targeted financial institution websites.

The evolution of Grandoreiro's tactics highlights a concerning trend where attackers increasingly adopt methods designed to defeat modern security measures that rely on behavioral biometrics and machine learning technologies.

Broader Implications for Cybersecurity

The emergence of these new variants indicates that Brazilian banking trojans are becoming a significant international threat, filling the void left by Eastern European cybercriminals transitioning into ransomware operations. In a related development, the Mexican cybersecurity firm Scitum recently warned of a new campaign named Gecko Assault that involves distributing two different banking malware families, Mispadu and Mekotio, targeting Windows users in the Latin American region.

Another banking trojan, codenamed Silver Oryx Blade, is also targeting LATAM users, particularly in Brazil, aiming to steal sensitive financial information. This malware is distributed through phishing emails that exploit themes such as salary bonuses and fiscal notifications, impersonating legitimate organizations like HR departments and Brazil’s Ministry of Finance.

Conclusion

The ongoing evolution of the Grandoreiro banking malware underscores the persistent threat posed by cybercriminals and highlights the need for enhanced cybersecurity measures to protect users from sophisticated attacks. As these threats continue to advance, both individuals and organizations must remain vigilant in adopting effective security practices.