Wednesday, January 31, 2024

Brazilian Police Arrest a Group Behind "Grandoreiro" Trojan, A Latin-American Bank Disaster

 In a significant development, Brazilian law enforcement successfully apprehended several operators associated with the Grandoreiro malware following a targeted operation. The Federal Police of Brazil executed five temporary arrest warrants and 13 search and seizure warrants across states including São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso. Slovak cybersecurity firm ESET, which played a crucial role in the operation, identified a design flaw in Grandoreiro's network protocol, aiding in the detection of victimology patterns.

Grandoreiro, among various Latin American banking trojans like Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, has been actively targeting countries such as Spain, Mexico, Brazil, and Argentina since 2017. The malware gained attention in late October 2023 when Proofpoint disclosed details of a phishing campaign distributing an updated version to targets in Mexico and Spain.

This banking trojan boasts capabilities to steal data through keyloggers and screenshots, along with siphoning bank login information from overlays when victims visit predetermined banking sites. It can also deploy fake pop-up windows and obstruct the victim's screen. The attack chains typically rely on phishing lures containing decoy documents or malicious URLs that, when opened, deploy the malware. The malware then establishes contact with a command-and-control (C&C) server for manual remote control.

ESET highlighted that Grandoreiro monitors the foreground window to identify a web browser process window matching predefined bank-related strings, initiating communication with its C&C server only under these conditions. The threat actors behind the malware have been using a domain generation algorithm (DGA) since around October 2020 to dynamically identify a destination domain for C&C traffic, making it harder to block or track.

ESET also noted Grandoreiro's flawed implementation of its RealThinClient (RTC) network protocol for C&C, enabling the retrieval of information about the connected victims. The disruption operation, led by the Federal Police of Brazil, targeted individuals believed to hold high positions in the Grandoreiro operation hierarchy. The investigation revealed an average of 551 unique victims connecting to the C&C server each day, mainly distributed across Brazil, Mexico, and Spain, with an average of 114 new unique victims daily.


Post a Comment