A bank vault filled with gold bars, guarded by a security guard standing at the entrance.

Grandoreiro Malware Targets Over 1500 Banks Worldwide

Grandoreiro banking malware continues to actively target 1,500 banks worldwide despite a recent crackdown, an investigation reveals. Since March 2024, many extensive phishing efforts disseminating the Grandoreiro banking malware have been detected by IBM X-Force.

The widespread phishing attacks, which target more than 1,500 banks globally, are probably made possible by hackers using a Malware-as-a-Service (MaaS) approach. IBM X-Force reports that these attacks have affected over 60 nations in the Indo-Pacific, Europe, Africa, and Central and South America.

In January 2024, an international law enforcement effort comprising Brazil, Spain, Interpol, ESET, and Caixa Bank disrupted the malware operation. This operation had been targeting Spanish-speaking nations since 2017, resulting in $120 million in losses.

Authorities conducted thirteen search and seizure operations across Brazil during the operation, but details regarding the involvement of the five arrested individuals remain undisclosed.

According to security experts Melissa Frydrych and Golo Mühr:

“Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails.

Updated Grandoreiro Makes Banking Malware More Stealthy

Phishing emails convincing recipients to click on a link to view an invoice or make a payment are the first step in the attack. The objective of the lure and the government organization impersonated in the mails varies.

The development Process of the Grandoreiro Banking Malware C2 Server
The development Process of the Grandoreiro Banking Malware C2 Server (IBM)

Users who click the link are sent to a PDF icon image, which prompts them to download a ZIP package containing the Grandoreiro loader executable. To avoid detection by anti-malware software, this custom loader is almost 100 MB large.

It prevents sandboxing on the compromised host, collects basic victim data for a command-and-control (C2) server, and downloads and runs the main banking malware.

The emails, written in the recipient’s local language and including official logos and styles, feature a call to action, such as clicking links to examine bills, account statements, or tax paperwork.

South African Revenue Service Phishing Email
South African Revenue Service Phishing Email (IBM)

Grandoreiro provides a variety of commands, allowing threat actors to remotely manipulate systems, do file operations, and activate special modes. One major innovation is a new module that captures Microsoft Outlook data and utilises the victim’s email account to transmit spam to other targets.

According to researchers:

To interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software for developing Outlook add-ins. This approach bypasses the Outlook Object Model Guard, which triggers security alerts when accessing protected objects.

Grandoreiro leads to the large amount of spam reported by this attack by propagating across compromised inboxes via the use of the local Outlook client for spamming.

Grandoreiro malware has undergone substantial changes, according to IBM X-Force, making it a far more serious threat to users. This version enhances its ability to avoid detection using an innovative string decryption technique that combines AES CBC encryption with a unique decoder.

The domain generation algorithm (DGA) has also been upgraded, using multiple seeds to better manage command and control (C2) communications and operator tasks.

Furthermore, a new technique targets Microsoft Outlook customers, turning off security alarms and sending phishing emails to new recipients using compromised credentials.

The malware is becoming more difficult to deal with due to its increased persistence. These upgrades not only boost the trojan’s efficacy but also raise the possibility that it may severely compromise individuals and organisations.

According to IBM experts, the most recent version of the malware evades execution in several countries, including Poland, the Czech Republic, the Netherlands, and Russia. Additionally, it prevents Windows 7 systems from operating in the US without an active antivirus program. This clearly confirms that Grandoreiro is still as active and powerful as ever despite recent law enforcement operations.

Educate users about phishing tactics and warning signs. Train them to identify suspicious emails, verify sender legitimacy, and avoid clicking on unknown links or opening attachments from untrusted sources.

Implementing effective spam filtering systems at the gateway level can stop a large percentage of phishing emails before they reach user inboxes. Even if the exact malware strain is unknown, use behavior-based detection techniques in endpoint security systems to find and stop harmful activity.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts