New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

Recent analyses reveal that Grandoreiro, a banking malware active since 2016, continues to develop new tactics despite law enforcement efforts to mitigate its impact. Kaspersky’s findings indicate that while some members of the gang have been arrested, others are still operating globally, enhancing the malware’s capabilities and infrastructure. The malware has adopted various methods to evade anti-fraud systems, including domain generation algorithms (DGA), ciphertext stealing (CTS) encryption, and mouse tracking, with specific strategies targeting banking clients in Mexico.

Grandoreiro can steal credentials from approximately 1,700 financial institutions across 45 countries, showcasing its expansive reach. Operating under a malware-as-a-service (MaaS) model, the software is selectively offered to certain cybercriminals. A significant development this year was the fragmentation of Grandoreiro’s Delphi codebase, resulting from the arrests of some of its operators. This has led to the emergence of two distinct codebases—one employing updated code and the other based on legacy architecture specifically targeting users in Mexico.

The primary distribution method for Grandoreiro remains phishing emails, with less frequent occurrences through malicious advertisements on Google. In the initial stage of the attack, a ZIP file is utilized to contain a legitimate file alongside an MSI loader, which activates the malware. Recent campaigns have adopted unusually large portable executables disguising themselves as AMD External Data SSD drivers to evade detection and analysis from security systems.

Beyond stealing credentials, Grandoreiro possesses features to collect host information, monitor user activity across specific applications, and check for the presence of anti-malware and banking security software. Notable among its capabilities is its function as a clipper, redirecting cryptocurrency transactions to wallets controlled by the hackers. Additionally, new attack processes have implemented CAPTCHA barriers to overcome automatic threat detection.

Enhanced functionality in the latest Grandoreiro version includes self-updating abilities, keystroke logging, and lazily monitoring Outlook for specific keywords. It also captures mouse movements to simulate legitimate user behavior, further complicating detection by anti-fraud systems. The continuous evolution of Grandoreiro underscores its threats, revealing how attackers adapt their methodologies to counteract contemporary security measures utilizing behavioral analysis and machine learning.

Once access is gained, attackers monetize stolen credentials by transferring funds through money transfer applications, cryptocurrency, or gift cards. Local mules, recruited via Telegram, receive compensation ranging from $200 to $500 daily for their involvement in the operation.

Additionally, remote access to compromised machines is facilitated through a Delphi-based tool called Operator, which allows attackers to monitor victims when they access targeted banking sites. The sophistication of Grandoreiro epitomizes the growing international threat of Brazilian banking trojans, particularly as Eastern European gangs pivot towards ransomware.

In a related context, recent warnings from Mexican cybersecurity firms highlight a campaign named Gecko Assault, which deploys banking malware families Mispadu and Mekotio to target Windows users in Latin America. Users in Brazil find themselves increasingly vulnerable to yet another banking trojan known as Silver Oryx Blade, designed to extract sensitive financial information from whatever banking websites they visit. This new trojan relies on phishing tactics disguised as legitimate communications, further complicating the cybersecurity landscape in the region.