Grandoreiro banking trojan: overview of recent versions and new tricks
Oct. 23, 2024, 8:49 a.m.
Tags
External References
Description
Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Generation Algorithms, ciphertext stealing encryption, and mouse behavior tracking. The trojan uses phishing emails and malvertising for initial infection, then employs various anti-detection methods and a modular structure for stealing credentials and performing fraudulent transactions. Recent campaigns show a split in the codebase, with both updated and legacy versions targeting different regions, particularly Mexico. The malware's operators use sophisticated tools for remote access and employ cloud VPS to hide their activities.
Date
Published: Oct. 22, 2024, 11:35 p.m.
Created: Oct. 22, 2024, 11:35 p.m.
Modified: Oct. 23, 2024, 8:49 a.m.
Attack Patterns
Grandoreiro - S0531
Grandoreiro
T1185
T1119
T1571
T1497
T1573
T1071
T1102
T1055
T1020
T1219
T1036
T1204
T1140
T1027
T1056
T1041
T1090
T1078
T1059
Additional Informations
Finance
Argentina
Spain
Mexico
Brazil