Newly evolved variants of the Grandoreiro banking malware are adopting sophisticated techniques to evade detection, showing that the malicious software remains active despite law enforcement crackdowns.
Researchers have observed the malware’s operators employing updated tactics, including a domain generation algorithm (DGA) for command-and-control communications, ciphertext stealing (CTS) encryption, and even mouse-tracking functionalities to simulate legitimate user activity and fool anti-fraud mechanisms.
Only part of the Grandoreiro gang has been apprehended, leaving other operators free to continue developing the malware and setting up new infrastructure to launch attacks globally.
Targeting Latin America and Europe, Grandoreiro has evolved continuously since its emergence in 2016, now capable of stealing credentials from over 1,700 financial institutions in 45 countries.
While some versions now focus on Mexican banking customers, Grandoreiro operates as a selective malware-as-a-service (MaaS) scheme available only to a trusted network of cybercriminals.
Since the recent arrests of some gang members, researchers have found two distinct codebases in active use: a new version with updated features and an older variant aimed at customers of approximately 30 Mexican banks.
Grandoreiro often spreads through phishing emails or, less frequently, via malicious ads. Victims initially receive a ZIP file containing a legitimate-looking MSI loader that downloads the malware.
The malware also deploys unusually large files disguised as legitimate drivers to evade detection tools. Once inside a system, Grandoreiro gathers host data and checks for the presence of specific usernames, like “John” or “WORK,” as well as anti-malware solutions from popular providers.
Additionally, the malware searches for banking security software and scans for specific web browsers, email clients, VPN, and cloud storage applications, allowing it to track user activity on these apps. Grandoreiro can even reroute cryptocurrency transactions by substituting wallet addresses, resulting in unauthorized transfers.
Recent variants of Grandoreiro have introduced further advancements, such as CAPTCHA challenges to bypass automated detection tools, self-update capabilities, and keylogging functions. These versions can target specific countries, send spam via Outlook, monitor Outlook emails for keywords, and mimic user activity by tracking mouse movements—all methods to evade behavior-based security solutions.
Once credentials are compromised, threat actors use a network of local money mules to transfer funds through payment apps, cryptocurrency, gift cards, or ATMs, often recruited through Telegram channels and paid between $200 and $500 daily. A Delphi-based tool named Operator grants attackers remote access to the infected machine, listing victims when they access targeted banking sites.
To combat sophisticated banking malware like Grandoreiro, organizations and users should implement multi-layered security practices. Regularly updating software, conducting frequent security audits, and enabling advanced detection systems that incorporate behavioral analysis are essential steps.