Cyber Defense Advisors

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.

“Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure,” Kaspersky said in an analysis published Tuesday.

Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. Also observed are “lighter, local versions” that are specifically focused on targeting banking customers in Mexico.

Grandoreiro, active since 2016, has consistently evolved over time, taking efforts to stay undetected, while also widening its geographic scope to Latin America and Europe. It’s capable of stealing credentials for 1,700 financial institutions, located in 45 countries and territories.

It’s said to operate under the malware-as-a-service (MaaS) model, although evidence points to it being only offered to select cybercriminals and trusted partners.

One of the most significant developments this year concerning Grandoreiro is the arrests of some of the group’s members, an event that has led to the fragmentation of the malware’s Delphi codebase.

“This discovery is supported by the existence of two distinct codebases in simultaneous campaigns: newer samples featuring updated code, and older samples which rely on the legacy codebase, now targeting only users in Mexico — customers of around 30 banks,” Kaspersky said.

Grandoreiro is primarily distributed by means of a phishing email, and to a lesser extent, through malicious ads served on Google. The first stage is a ZIP file, which, in turn, contains a legitimate file and an MSI loader that’s responsible for downloading and launching the malware.

Campaigns observed in 2023 have been found to leverage extremely large portable executables with a file size of 390 MB by masquerading as AMD External Data SSD drivers to bypass sandboxes and fly under the radar.

The banking malware comes equipped with features to gather host information and IP address location data. It also extracts the username and checks if it contains the strings “John” or “WORK,” and if so, halts its execution.

“Grandoreiro searches for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike,” the company said. “It also looks for banking security software, such as Topaz OFD and Trusteer.”

Another notable function of the malware is to check for the presence of certain web browsers, email clients, VPN, and cloud storage applications on the system and monitor user activity across those apps. Furthermore, it can act as a clipper to reroute cryptocurrency transactions to wallets under the threat actor’s control.

Newer attack chains detected in the aftermath of the arrests this year include a CAPTCHA barrier prior to the execution of the main payload as a way to get around automatic analysis.

The latest version of Grandoreiro has also received significant updates, including the ability to self-update, log keystrokes, select the country for listing victims, detect banking security solutions, use Outlook to send spam emails and monitor Outlook emails for specific keywords.

It’s also equipped to capture mouse movements, signaling an attempt to mimic user behavior and trick anti-fraud systems into identifying the activity as legitimate.

“This discovery highlights the continuous evolution of malware like Grandoreiro, where attackers are increasingly incorporating tactics designed to counter modern security solutions that rely on behavioral biometrics and machine learning,” the researchers said.

Once the credentials are obtained, the threat actors cash out the funds to accounts belonging to local money mules by means of transfer apps, cryptocurrency, or gift cards, or an ATM. The mules are identified using Telegram channels, paying them $200 to $500 per day.

Remote access to the victim machine is facilitated using a Delphi-based tool named Operator that displays a list of victims whenever they begin browsing a targeted financial institution website.

“The threat actors behind the Grandoreiro banking malware are continuously evolving their tactics and malware to successfully carry out attacks against their targets and evade security solutions,” Kaspersky said.

“Brazilian banking trojans are already an international threat; they’re filling the gaps left by Eastern European gangs who have migrated into ransomware.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.