Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a prominent Brazilian banking trojan that falls under the broader Tetrade malware family, operational since at least 2016. This malware allows cybercriminals to execute fraudulent banking activities directly through victims’ computers, effectively circumventing the security measures employed by financial institutions. Despite significant law enforcement efforts, including arrests in multiple countries, the threat posed by Grandoreiro remains robust, characterized by continuous evolution in tactics and technology, leading to an expansion of its global impact and the number of targeted financial entities.

The sophistication of Grandoreiro’s operations is evident in the yearly rise in its campaigns and targets. In 2023, the malware targeted around 900 banks across 40 countries, and by 2024, this figure rose to approximately 1,700 banks and 276 cryptocurrency wallets across 45 countries. The malware intensified its reach into Asia and Africa, thereby establishing itself as a truly global cyber threat, particularly evident in Europe where it has allegedly generated millions of euros in illicit profits.

Grandoreiro has adopted various innovative techniques to enhance its effectiveness and evade detection. These include the implementation of advanced Domain Generation Algorithms (DGAs) for command and control communications and the introduction of complex encryption methods, such as Ciphertext Stealing (CTS), which complicate traditional analysis. The trojan is also evolving in terms of user interaction mimicking, employing behavior tracking techniques to imitate legitimate mouse movements as a means of bypassing machine learning-based security systems.

Operational dynamics of Grandoreiro illustrate a distinct approach to malware deployment. It serves as a Malware-as-a-Service (MaaS) entity, albeit with limited access to its source code, available primarily to trusted partners. Following the arrests of key operators, the malware fragmented into smaller, localized versions, which allowed it to sidestep law enforcement disruption strategies while continuing targeted attacks, notably in Mexico.

Grandoreiro campaigns typically commence with email phishing attacks, often crafted in the local language to enhance credibility. These emails contain lures designed to compel victims into downloading malware disguised within seemingly benign files, like PDFs or ZIP archives. The trojan’s loaders are adept at executing malicious payloads based on pre-defined criteria, such as the language settings of the victim’s computer, ensuring that attacks are primarily focused on non-English speaking systems.

The malware’s infection mechanisms have also been updated, with the use of large, cleverly disguised executable files that can evade antivirus detection. The current versions leverage improved encryption techniques and comprehensive checks to shield themselves from security tools and analysts, which includes gathering extensive data on the infected systems and their configurations. Among such checks is the identification of installed security applications, which will trigger a complete halt in malware execution upon detection.

Further complicating detection efforts, Grandoreiro employs elaborate anti-analysis measures, monitoring for the presence of various debugging and monitoring tools. The malware self-terminates upon recognizing these tools, effectively impeding security efforts. Moreover, its use of clipboard manipulation techniques for cryptocurrency transactions indicates a deliberate focus on financial fraud that blends traditional banking theft with modern digital asset vulnerabilities.

Recent campaigns have integrated features like CAPTCHA challenges to hinder automated analysis, further demonstrating the attackers’ attempts to adapt to dynamic security landscapes. The introduction of a range of new tools for detection also points to a continuous improvement strategy among Grandoreiro operators, allowing them to maintain a step ahead of cybersecurity defenses.

The trojan’s infrastructure supports advanced operations, utilizing Cloud VPS setups to obscure the operators’ real identities and evade investigative scrutiny. This technique enables swift shifts in operational bases, ensuring that even if one layer is compromised, others remain functional and obscure.

Despite extensive efforts by Kaspersky and global law enforcement, Grandoreiro persists as a significant player in the cybercrime landscape, illustrating the challenges faced in fighting such resilient malware families. This persistent threat necessitates enhanced cooperation between private security firms and law enforcement, emphasizing that eradication requires a multifaceted approach to hamper these criminal enterprises effectively.

In conclusion, the Grandoreiro trojan exemplifies the increasing sophistication and adaptability of malware, which has evolved alongside advancements in cybersecurity. As it continues to perpetrate financial fraud across a broader range of targets, a concerted effort from both private and public sectors will be essential to mitigate the risks associated with this and similar threats.