The Grandoreiro banking trojan, a Windows-based threat, has re-emerged in a global campaign targeting over 1,500 banks since March 2024, following a law enforcement takedown earlier in the year.
The resurgence is marked by large-scale phishing attacks likely facilitated by cybercriminals using a malware-as-a-service (MaaS) model. These attacks span more than 60 countries, including regions in Central and South America, Africa, Europe, and the Indo-Pacific.
Originally known for its activity in Latin America, Spain, and Portugal, Grandoreiro’s expansion suggests a strategic shift following Brazilian authorities’ attempts to dismantle its infrastructure. The malware itself has undergone significant improvements, indicating ongoing development.
“Recent analyses show major updates in string decryption and domain generating algorithms (DGA), along with capabilities to exploit Microsoft Outlook clients on infected machines for further phishing email dissemination,” reported security researchers.
The attack sequence begins with phishing emails, luring recipients to click links purportedly leading to invoices or payment instructions. Clicking these links redirects users to an image of a PDF icon, ultimately downloading a ZIP archive containing the Grandoreiro loader executable.
The loader, artificially inflated to over 100 MB to evade anti-malware software, ensures the infected host is not sandboxed, collects basic victim data, and communicates with a command-and-control (C2) server before downloading and executing the main banking trojan. The verification process excludes systems located in Russia, Czechia, Poland, the Netherlands, and Windows 7 machines in the U.S. without antivirus software.
Once active, the trojan establishes persistence via the Windows Registry and uses a revamped DGA to connect with a C2 server for further instructions. It supports various commands for remote system control, file operations, and special modes, including a new module that collects Microsoft Outlook data and uses the victim’s email to send spam.
“Grandoreiro interacts with the local Outlook client using the Outlook Security Manager tool to avoid security alerts triggered by the Outlook Object Model Guard,” the researchers explained. “By exploiting the local Outlook client, Grandoreiro can propagate through victim inboxes via spam emails, contributing to the high spam volume observed.”
This evolution highlights the continued threat posed by Grandoreiro as it adapts and expands its reach globally.
To protect against the Grandoreiro banking trojan, organizations should implement robust email filtering systems to detect and block phishing attempts. Regularly updating and patching software, especially browsers and email clients, can mitigate vulnerabilities. Additionally, employing advanced endpoint security solutions that can detect and neutralize malicious loaders and trojans is crucial.