Grandoreiro Banking Trojan is Back With Major Updates

Written by

A prolific banking Trojan has resurfaced in several new campaigns with enhanced functionality designed to make it a more potent threat, according to IBM.

The tech giant’s X-Force cybersecurity unit said it has been tracking several large-scale phishing campaigns since March.

These include attacks impersonating Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE) and Secretary of Administration and Finance, as well as the Revenue Service of Argentina and the South African Revenue Service (SARS).

“In each campaign, the recipients are instructed to click on a link to view an invoice or fee, account statement, make a payment, etc. depending on the impersonated entity,” IBM X-Force said.

“If the user who clicks on the links is within a specific country (depending on the campaign, Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, and a ZIP file is downloaded in the background. The ZIP files contain a large executable disguised with a PDF icon, found to have been created the day prior to, or the day of the email being sent.”

Read more on Grandoreiro: New Grandoreiro Malware Variant Targets Spain

This large (100MB) executable is the Grandoreiro loader. Grandoreiro malware has been around since at least 2017, but was previously confined to Spanish-speaking countries. International law enforcers made several arrests at the start of this year in a crackdown on the malware, which is said to have caused losses of around $120m.

The new-look Grandoreiro is a modular, likely malware-as-a-service, operation with the ability to target over 1500 global banking applications and websites in more than 60 countries in regions such as Central/South America, Africa, Europe and the Indo-Pacific.

The latest version features updates to its string decryption and DGA calculation algorithms which allow the malware to contact at least 12 different command-and-control (C2) domains per day. There are also new capabilities allowing it to spread more efficiently by harvesting victim data from targeted email clients.

“There are at least three mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed,” IBM X-Force explained. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”

IBM warned that the updates and increase in targeted banking applications show that those behind Grandoreiro are looking to facilitate malicious campaigns on a truly global scale.

What’s hot on Infosecurity Magazine?