Grandoreiro banking trojan: overview of recent versions and new tricks
Essential information
- Published
- 22/10/2024 23:35
- Modified
- 23/10/2024 08:49
- Tags
- 2024-10-22 banking trojan brazil credential-theft evasion techniques financial malware global threat grandoreiro remote access
- Related entities
- 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 5 others
Description
Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Generation Algorithms, ciphertext stealing encryption, and mouse behavior tracking. The trojan uses phishing emails and malvertising for initial infection, then employs various anti-detection methods and a modular structure for stealing credentials and performing fraudulent transactions. Recent campaigns show a split in the codebase, with both updated and legacy versions targeting different regions, particularly Mexico. The malware's operators use sophisticated tools for remote access and employ cloud VPS to hide their activities.