CyberSecurity news

FlagThis

@www.trustwave.com //

Grandoreiro Banking Trojan: Global Expansion and Fragmented Versions


Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • opentip.kaspersky.com: Kaspersky Report: Grandoreiro's Global Expansion
  • malware.news: Malware News: Grandoreiro's Ambitions
  • Securelist: Kaspersky's Securelist on Grandoreiro
  • www.gov.br: Brazilian Federal Police Operations Against Grandoreiro
  • www.lanacion.com.ar: Arrests of Grandoreiro Operators in Argentina
  • opentip.kaspersky.com: A global banking trojan that’s been around for years, Grandoreiro is still targeting millions of users.
  • securelist.com: Arrests of members of TeTrade, Seed groups, Grandoreiro and Melcoz
  • www.trustwave.com: Grandoreiro Banking Malware Resurfaces for Tax Season
  • securityonline.info: In a recent report by Kaspersky Labs, the notorious Grandoreiro banking trojan has once again made headlines, evolving into a significant global financial threat. Originating in Brazil, this trojan, which...
  • www.topazevolution.com: Grandoreiro: One malware, many operators, fragmented versions
  • opentip.kaspersky.com: Grandoreiro is a well-known Brazilian banking trojan — part of the umbrella — that enables threat actors to perform fraudulent banking operations by using the victim’s computer to bypass the security measures of banking institutions. It’s been active since at least 2016 and is now one of the most widespread banking trojans globally. INTERPOL and law enforcement agencies across the globe are fighting against Grandoreiro, and Kaspersky is cooperating with them, sharing TTPs and IoCs. However, despite the disruption of some local operators of this trojan in and , and the arrest of gang members in Spain, Brazil, and , they’re still active. We now know for sure that only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure. Every year we observe new Grandoreiro campaigns targeting financial entities, using new tricks in samples with low detection rates by security solutions. The group has evolved over the years, expanding the number of targets in every new campaign we tracked. In 2023, the banking trojan targeted 900 banks in 40 countries — in 2024, the newest versions of the trojan targeted 1,700 banks and 276 crypto wallets in 45 countries and territories, located on all continents of the world. Asia and Africa have finally joined the list of its targets, making it a truly global financial threat. In Spain alone, Grandoreiro has been responsible for fraudulent activities amounting to 3.5 million euros in profits, according to conservative estimates — several failed attempts could have yielded beyond 110 million euros for the criminal organization. In this article, we will detail how Grandoreiro operates, its evolution over time, and the new tricks adopted by the malware, such as the usage of 3 DGAs (domain generation algorithm) in its C2 communications, the adoption of ciphertext stealing encryption (CTS), and mouse behavior tracking, aiming to bypass anti-fraud solutions. This evolution culminates with the appearance of lighter, local versions, now focused on Mexico, positioning the group as a challenge for the financial sector, law enforcement agencies and security solutions worldwide.
  • opentip.kaspersky.com: Grandoreiro is a well-known Brazilian banking trojan — part of the umbrella — that enables threat actors to perform fraudulent banking operations by using the victim’s computer to bypass the security measures of banking institutions. It’s been active since at least 2016 and is now one of the most widespread banking trojans globally.
  • securelist.com: Grandoreiro is a banking trojan of Brazilian origin that has been active since at least 2016. It's been active since at least 2016 and is now one of the most widespread banking trojans globally.
  • malware.news: Increased stealth integrated into novel Grandoreiro banking trojan variants
  • www.scworld.com: Increased stealth integrated into novel Grandoreiro banking trojan variants
Classification: