Grandoreiro banking trojan: overview of recent versions and new tricks

Oct. 23, 2024, 8:49 a.m.

Description

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Generation Algorithms, ciphertext stealing encryption, and mouse behavior tracking. The trojan uses phishing emails and malvertising for initial infection, then employs various anti-detection methods and a modular structure for stealing credentials and performing fraudulent transactions. Recent campaigns show a split in the codebase, with both updated and legacy versions targeting different regions, particularly Mexico. The malware's operators use sophisticated tools for remote access and employ cloud VPS to hide their activities.

Date

Published: Oct. 22, 2024, 11:35 p.m.

Created: Oct. 22, 2024, 11:35 p.m.

Modified: Oct. 23, 2024, 8:49 a.m.

Attack Patterns

Grandoreiro - S0531

Grandoreiro

T1185

T1119

T1571

T1497

T1573

T1071

T1102

T1055

T1020

T1219

T1036

T1204

T1140

T1027

T1056

T1041

T1090

T1078

T1059

Additional Informations

Finance

Argentina

Spain

Mexico

Brazil