Bank Data Stealing Malware Is Back Despite Arrests

image provided by pixabay

This post is also available in: עברית (Hebrew)

Investigation shows that despite a recent crackdown on the Grandoreiro banking trojan malware, it is back and has been actively targeting 1500 banks globally.

The Grandoreiro banking trojan is known to target banks in Latin America, Spain, and Portugal, but IBM X-Force has identified a new wave of attacks now including regions in Central and South America, Africa, Europe, and the Pacific. Targeting 1500 banks globally, the malware itself has also been significantly technically improved.

According to Cybernews, the malware is distributed via an email with a malicious link that impersonates governmental entities or other legitimate organizations (like banks or financial institutions) asking the victim to click on a link to view an official document or make a payment. They are then redirected to an image of a PDF icon while a ZIP file is downloaded in the background containing a large executable disguised as a PDF.

Grandoreiro can then harvest the emails to further spread through infected victim inboxes, which likely contributes to a large volume of spam. When Grandoreiro is installed on a victim’s system, it operates as a typical banking trojan trying to steal sensitive financial information. When the malware is installed, it tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups. It also collects private and sensitive data such as usernames, operating system information, device runtime, and most importantly- bank identifiers.

Experts at Cybernews claim the trojan is likely operated as malware-as-a-service (MaaS) to commit banking fraud, so even though it was subject to a major crackdown by law enforcement in January 2024, other cybercriminals continue to use the malware in their attacks.

According to Interpol, Grandoreiro has been considered a major cybersecurity threat across Spanish-speaking countries since 2017. At the end of January 2024, Brazilian authorities reportedly shut down a criminal gang operating malware that was responsible for the theft of $3.9 million in 2019.