The infamous Grandoreiro banking trojan has made a comeback in a scale operation targeting an impressive 1,500 banks across, over 60 countries. This extensive phishing campaign, which kicked off in March 2024 signifies a resurgence of the Windows based malware post a law enforcement crackdown earlier in January.
Experts in cybersecurity suggest that the individuals responsible for Grandoreiro may have joined forces with cybercriminals opting for a malware as a service (MaaS) approach to carry out attacks. The campaigns impact now expands beyond the targets of the trojan in Latin America, Spain and Portugal to include nations, across Africa, Europe and the Indo Pacific region.
Grandoreiro’s Enhanced Capabilities
The Grandoreiro banking trojan has been upgraded significantly showing development by its creators. The updates include improved decryption techniques, for strings, a better domain generating algorithm (DGA) and the capability to take over Microsoft Outlook clients on compromised systems to spread phishing emails effectively.
The Grandoreiro banking trojan attacks typically start with phishing emails that trick recipients into clicking a link by pretending to be related to an invoice or payment. When clicked the link triggers the download of a ZIP file containing the Grandoreiro loader executable. This custom loader, intentionally made than 100 MB to avoid detection, by malware tools checks the targeted system and downloads the main banking trojan payload.
