IBM X-Force Report: Grandoreiro Malware Targets More Than 1,500 Banks in 60 Countries

A caller study from IBM X-Force exposes changes successful the Grandoreiro malware landscape. The banking trojan is present susceptible of targeting much than 1,500 planetary banks successful much than 60 countries, and it has been updated with caller features.

Also, Grandoreiro’s targeting has go wider, arsenic it initially lone targeted Spanish-speaking countries, portion caller onslaught campaigns targeted countries successful Europe, Asia and Africa. In addition, the malware is present sending phishing emails straight from the victim’s Microsoft Outlook section lawsuit to recipients’ email addresses recovered successful the section system.

What is Grandoreiro?

According to Interpol, the Grandoreiro banking trojan has been a large menace crossed Spanish-speaking countries since 2017. The malware’s main functionalities let cybercriminals to power devices connected the infected computer, alteration keylogging, grip windows and processes, unfastened a browser and execute JavaScript wrong it, upload oregon download files, and nonstop emails, successful summation to its banking trojan capabilities.

Analysis of antithetic onslaught campaigns reveals that galore operators are progressive successful Grandoreiro attacks, arsenic stated by cybersecurity institution Kaspersky, which wrote successful July 2020, “It is inactive not imaginable to nexus this malware to immoderate circumstantial cybercrime group, though it is wide that the run is utilizing a MaaS (Malware-as-a-Service) concern model.”

SEE: Kaspersky Study: Devices Infected With Data-Stealing Malware Increased by 7 Times Since 2020

Arrests of suspected cybercriminals successful narration to Grandoreiro happened successful 2021, with 16 suspects being caught by the Spanish Police connected charges of laundering funds stolen done 2 banking trojans, including Grandoreiro. More recently, Brazilian authorities arrested 5 programmers and administrators down the banking malware, who were suspected to person defrauded victims of much than €3.5 million.

Yet the malware, developed successful Brazil, is inactive progressive and has started expanding its people database to different countries, specified arsenic Japan, Netherlands, Italy and South Africa, arsenic reported successful the caller probe from IBM’s X-Force team.

How bash Grandoreiro campaigns work?

All Grandoreiro campaigns commencement with phishing emails

Since March 2024, respective Grandoreiro phishing campaigns person impersonated entities successful Mexico, specified arsenic Mexico’s Tax Administration Service, Mexico’s Federal Electricity Commission oregon the Revenue Service of Argentina.

Different societal engineering techniques person been utilized since March 2024 successful the emails to entice the idiosyncratic to click a link: a last announcement to wage a debt, a reminder that 1 tin entree their relationship connection successful PDF oregon XML format oregon a reminder to work details connected a compliance notice.

Sample phishing email containing a malicious link. Image: IBM X-Force

In those phishing campaigns, lone users originating from circumstantial countries — Mexico, Chile, Spain, Costa Rica, Peru, Argentina — are being redirected to a payload erstwhile clicking connected the nexus provided successful the email.

Following the caller arrests involving Grandoreiro operators, researchers observed a surge successful campaigns targeting countries beyond the accustomed Spanish-speaking ones, including Japan, the Netherlands, Italy and South Africa, with emails written successful English.

Sample phishing email targeting South African users. Image: IBM X-Force

Next comes the corruption chain

After the idiosyncratic clicks the malicious nexus successful the phishing email, a customized loader is launched, presenting a fake Adobe PDF Reader captcha, which requires a click to proceed with the execution, astir apt to separate betwixt existent users and automated systems specified arsenic sandboxes.

Then, the loader collects immoderate unfortunate information and sends it to the command&control server utilizing encryption based connected AES and base64 algorithms. The information sent to the C2 consists of the machine and idiosyncratic names, the operating strategy version, the antivirus name, the victim’s nationalist IP address, and a database of moving processes. In addition, the loader checks for the beingness of the Microsoft Outlook lawsuit arsenic good arsenic crypto wallets and peculiar banking information products specified arsenic IBM Trusteer oregon Topaz OFD.

The loader tin beryllium configured to disallow victims from circumstantial countries based connected their IP addresses. One malware illustration recovered by IBM X-Force stopped if the idiosyncratic was located successful Russia, Czech Republic, Poland oregon Netherlands.

If each conditions are met, the Grandoreiro banking trojan is downloaded, decrypted via an RC4-based algorithm and executed.

Targeting much than 1,500 banks worldwide

Grandoreiro’s database of targeted applications has accrued to much than 1,500 banks worldwide, according to IBM X-Force, with slope applications besides tied to regions. For example, if the victim’s state is identified arsenic Belgium, the malware volition hunt for each targeted banking applications associated with the European region.

In addition, 266 unsocial strings are utilized by the malware to place cryptocurrency wallets.

Grandoreiro’s targeted banking applications per country. Image: IBM X-Force

Recent updates successful Grandoreiro

New DGA algorithm

Researchers Golo Mühr and Melissa Frydrych analyzed the malware successful extent and recovered the malware, which traditionally relied connected domain procreation algorithms to find its C2 server references, contained a reworked DGA.

The caller algorithm introduces aggregate seeds for its DGA, “used to cipher a antithetic domain for each mode oregon functionality of the banking trojan, allowing separation of C2 tasks among respective operators arsenic portion of their Malware-as-a-Service operation” arsenic stated by the researchers.

Grandoreiro’s caller DGA algorithm. Image: IBM X-Force

For 1 analyzed sample, for a fixed day, 12 domains could beryllium utilized arsenic C2 domains, with 4 of them being progressive connected that time and starring to Brazilian-based IP addresses.

C2 server domains for a Grandoreiro illustration for April 17, 2024. Image: IBM X-Force

Microsoft Outlook abuse

Recent versions of Grandoreiro maltreatment the section Microsoft Outlook bundle erstwhile disposable connected an infected computer.

The malware interacts with the Outlook Security Manager Tool, a instrumentality designed to make Outlook add-ins. The usage of the instrumentality allows the malware to disable alerts wrong Outlook earlier it starts harvesting each sender email addresses recovered successful the victim’s mailbox, filtering the email addresses to debar collecting unwanted ones specified arsenic those containing “noreply,” “feedback” oregon “newsletter,” to sanction a fewer from the malware’s blocklist.

In addition, the malware scans parts of the victim’s folders recursively to hunt for much email addresses, looking for files with circumstantial extensions, including .csv, .txt, .xls and .doc.

The malware past starts sending spam based connected phishing templates it received from its C2 server earlier deleting each the sent emails from the victim’s mailbox.

In bid to debar being caught by the idiosyncratic who could announcement suspicious behaviour from the computer, the malware lone starts sending the emails erstwhile the past input connected the instrumentality is astatine slightest 5 minutes aged oregon longer successful immoderate malware variants.

How to support from this Grandoreiro malware threat

• Do cautious web analysis. In particular, aggregate consecutive requests to ip-api.com/json indispensable trigger alerts and investigations, arsenic it mightiness beryllium an indicator of a Grandoreiro infection.
• Monitor tally keys successful the Windows registry. Any summation extracurricular of a mean bundle installation should beryllium investigated intimately to observe malware activity.
• Block pre-calculated DGA domains via DNS.
• Deploy endpoint information bundle connected each machine to observe malware.
• Educate users and unit to observe phishing emails and imaginable fraud attempts.
• Keep each hardware and bundle up to day and patched successful bid not to beryllium infected via a communal vulnerability.

Disclosure: I enactment for Trend Micro, but the views expressed successful this nonfiction are mine.