Notorious Banking Trojan ‘Grandoreiro’ Makes a Comeback – It’s More Powerful than Before
- The infamous banking Trojan Grandoreiro' is back after being taken down in January; and this time it's more powerful.
- Working as malware-as-a-service, it has the ability to target over 1500 financial institutions in 60 countries.
- The malware itself has gone through a series of updates, which confirms our suspicion that they're planning to launch larger-scale phishing attacks.
It's a bad day for the financial industry because a notorious banking Trojan called Grandoreiro has made a comeback and it's more powerful and potent than it was before.
The new Grandoreiro works as a malware-as-a-service and has the ability to target more than 1500 banking and financial institutions in around 60 countries across Africa, Europe, Indo-Pacific, and Central/South America.It's important to note that previously, its attacks were only limited to Latin America, Spain, and Portugal.
However, after its comeback, it has started expanding to other regions as well-probably to avoid a repetition of January 2024 (more on that in just a little bit).
The Downfall & Resurgence of GrandoreiroGrandoreiro is not a new Trojan. It has been around since 2017 and has already wreaked havoc in Spanish-speaking countries.
Several arrests were also made at the start of 2024, and the hacker group faced a loss of approximately $120 million.Financial institutions probably heaved a sigh of relief when it was taken down in January this year after a group of international law enforcers started cracking down on it.
However, it looks like the hackers are back to their old ways. Grandoreiro's resurgence was noted by IBM, which said that it had been tracking a number of large-scale phishing attempts, such as the impersonation of Mexico's Tax Administration Service (SAT) and Federal Electricity Commission (CFE)-all of them following the same pattern.
A Brief Breakdown 0f Grandoreiro's Attack TechniqueTo understand the threat Grandoreiro poses, let me walk you through how it works:
- The victim is usually sent an email and directed to click on a particular link to view an invoice or and account statement, or to make a payment. Now the exact action depends on who the hackers are impersonating.
- If the victim clicks on the link, they'll be redirected to the image of a PDF icon while a ZIP file is downloaded in the background. This ZIP file contains the Grandoreiro loader executable.
- Although the loader in itself is only 100MB, it has been artificially inflated to be more than 100MB, which helps it bypass antimalware scanning.
- Once the hackers successfully break into a system, they start by establishing persistence via the Windows Registry.
- After this, Grandoreiro uses a reworked DGA to establish connections with a C2 server so that it can get further instructions.
- Finally, when the system is completely compromised, the hackers can remotely control the system, enable special modes, carry out operations, and loads more.
Grandoreiro is now not only targeting more regions, but significant updates have also been made within the malware itself. For example:
- A close analysis revealed that its string decryption and DGA calculation algorithms have been upgraded, meaning it can deploy at least 12 different command-and-control (C2) domains every single day.
- Another new feature has been added that makes it easier to spread the malware by extracting victim data from targeted email clients. This can be done in 3 ways-one of them is using Microsoft Outlook.
The main reason behind doing it this way is that the Outlook Object Model Guard can send out security alerts if it notices that someone is trying to access protected objects.
All in all, these updates are not a good sign for the financial industry. Considering how much effort has been put into upgrading the malware, it looks like large-scale phishing attacks are about to be unleashed like wildfire across the globe.
The post Notorious Banking Trojan Grandoreiro' Makes a Comeback - It's More Powerful than Before appeared first on The Tech Report.