Grandoreiro Strikes Back: Banking Trojan Resurges in Global Phishing Attacks
The hacker group behind the Grandoreiro banking Trojan for Windows has resumed its global campaign as of March 2024, following a law enforcement operation that dismantled its infrastructure in January.
According to IBM X-Force, large-scale phishing attacks, likely carried out by other cybercriminals using the “malware-as-a-service” (MaaS) model, are targeting over 1,500 banks worldwide across more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific region.
Although Grandoreiro initially focused on Latin America, Spain, and Portugal, its current geographic expansion likely reflects a strategic shift following Brazilian authorities’ attempts to shut down its infrastructure.
In addition to the broader scope of its attacks, the malware itself has undergone significant enhancements, indicating active development. “Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails,” noted researchers Golo Mühr and Melissa Frydrych.
The attacks begin with phishing emails instructing recipients to click a link to view an invoice or payment, depending on the lure and the impersonated government agency.
Victims who click the link are redirected to an image of a PDF icon, which ultimately leads to the download of a ZIP archive containing the Grandoreiro downloader executable. This specialized downloader is artificially inflated to over 100 MB to evade antivirus scanning. It also checks whether the compromised host is in a sandbox environment, gathers basic victim data to the command and control (C2) server, and launches the main Trojan.
Notably, this initial check bypasses systems geolocated in Russia, the Czech Republic, Poland, the Netherlands, and machines running Windows 7 in the US without antivirus software.
The main component of the Trojan then establishes persistence via the Windows registry, using a revamped domain generation algorithm to connect to the C2 server and receive further instructions.
Grandoreiro supports various commands, allowing attackers to remotely control the system, perform file operations, and activate special modes, including a new module for collecting Microsoft Outlook data and abusing the victim’s email account to send spam to other targets.
“In order to interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to develop Outlook add-ins,” explained the researchers. “The main reason behind this is that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.”
“By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”
