The attack campaign begins with phishing emails that lure recipients to click on links under the guise of viewing an invoice or making a payment, depending on the impersonated government entity
After a brief hiatus following a law enforcement crackdown in January, the Grandoreiro banking trojan has re-emerged in a widespread cyber attack campaign starting in March 2024. This campaign targets over 1,500 banks across more than 60 countries, including regions in Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-Force.
Grandoreiro, primarily known for its attacks in Latin America, Spain, and Portugal, appears to be changing its strategy following the disruption of its infrastructure by Brazilian authorities. The malware’s resurgence is marked by large-scale phishing attacks, likely facilitated by other cybercriminals using a malware-as-a-service (MaaS) model.
Significant improvements have been made to the Grandoreiro malware, indicating ongoing development. Security researchers Golo Mühr and Melissa Frydrych noted, “Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails.”
The attack campaign begins with phishing emails that lure recipients to click on links under the guise of viewing an invoice or making a payment, depending on the impersonated government entity. Clicking the link redirects users to an image of a PDF icon, which then leads to the download of a ZIP archive containing the Grandoreiro loader executable.
This custom loader, artificially inflated to over 100 MB, is designed to bypass anti-malware scanning software. It also checks to ensure the compromised host is not in a sandboxed environment, gathers basic victim data for a command-and-control (C2) server, and downloads and executes the main banking trojan.
Interestingly, the malware skips systems located in Russia, Czechia, Poland, and the Netherlands, as well as U.S.-based Windows 7 machines with no antivirus installed.
Once the trojan is executed, it establishes persistence via the Windows Registry and uses a reworked DGA to connect with a C2 server for further instructions. Grandoreiro supports various commands that allow remote control of the system, file operations, and other tasks. A new module enables the collection of Microsoft Outlook data and the abuse of the victim’s email account to send spam messages to other targets.
“In order to interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to develop Outlook add-ins,” the researchers explained. “The main reason behind this is that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.”
By leveraging the local Outlook client for spamming, Grandoreiro can propagate through infected victim inboxes, contributing to the high volume of spam observed from the trojan.
