The Grandoreiro Trojan is back and targets more than 1,500 banks around the world


Mélina LOUPIA

May 19, 2024 at 4:51 p.m.

2

Several European banks are the target of Grandoreiro malware - © Ground Picture / Shutterstock

Several European banks are the target of Grandoreiro malware – © Ground Picture / Shutterstock

Despite a crackdown orchestrated by Interpol in January 2024, the group of cybercriminals behind the Grandoreiro Trojan resurfaces to crack down. Organized as malware-as-a-service »it is even more virulent and attacks more than 1,500 banking organizations in 60 countries around the world.

It seems that as sensitive infrastructures strengthen their protection, hackers upgrade their attacks. This is what the cybercriminals behind the Grandoreiro banking malware have done by having considerably expanded their range of action. Long confined to Latin America, this entity now targets more than 1,500 banking applications and websites spread across around sixty countries.

They are researchers of X-Force who analyzed these changes. Recent updates have indeed allowed Grandoreiro to expand its offensive capabilities. Europe, Africa and Asia-Pacific are now part of its hunting ground. Phishing campaigns posing as national tax services allow hackers to infect new targets. Once a system is compromised, the malware attempts to steal banking credentials and data. It also seeks to self-propagate using email clients present on the infected machine.

Best antivirus, comparison in May 2024
To discover
Best antivirus, comparison in May 2024

Apr 30, 2024 at 3:05 p.m.

Service comparisons

Grandoreiro, a Trojan horse boosted with increased resources

The experts from X-Force were able to analyze in detail the new workings of Grandoreiro. This banking malware, probably exploited as “malware-as-a-service” by cybercriminals, has been extensively reworked. The hackers notably reworked its string encryption and domain generation algorithms. This latter feature allows it to connect to no less than 12 different command and control servers every day. Grandoreiro thus manages to cover his tracks and complicate his detection.

The other major change lies in the great diversity of banking applications now targeted by this Trojan horse. Previously focused on Latin America, Grandoreiro now targets financial institutions in Europe, Africa, Asia and Oceania. More than 1,500 mobile apps and websites are in the sights of hackers, potentially allowing them to steal data from more than 60 countries. This broad palette considerably expands Grandoreiro’s attack surface and the financial damage he can cause.

Once the malware is deployed, hackers attack victims by email - © Daniel Beckemeier / Shutterstock

Once the malware is deployed, hackers attack victims by email – © Daniel Beckemeier / Shutterstock

An increased and worrying power of propagation

In addition to its new geographic targets, Grandoreiro now has a new way to spread virally. It can in fact recover the email addresses present on an infected system, then use the Microsoft Outlook email client to send other phishing campaigns which this time may affect the customers of these banks. The Trojan manages to temporarily disable certain Outlook protections to accomplish this task. The legitimate senders of the propaganda emails then become the original victim’s own contacts, making the detection technique even more complex. Once again, hackers are flying under the security radar.

This new ability greatly contributes to increasing the distribution of Grandoreiro. Experts believe that the high volume of spam observed recently for this banking malware probably comes from this functionality. Cybercriminals no longer need to purchase address lists to distribute their malware. They can now count on already infiltrated mailboxes to find new victims. It is this vicious circle that prompted Melyssa Friedrich and Golo Mühr, the two experts behind this Grandoreiro analysis, to recommend that sensitive companies and organizations not only strengthen their data protection tools and systems but also train staff in vigilance and detection of phishing campaigns or cyberattacks. As for the customers, potential victims, Clubic recommends the same vigilance at their level, namely never communicating your banking details by telephone, SMS or e-mail, keeping in mind that no banking organization will ask you for them in these forms.

Microsoft OutlookMicrosoft Outlook

See the offer

Microsoft Outlook

  • Integration with the Microsoft 365 suite
  • Functionality to sort your messages as you wish
  • The task manager and calendar for organization

Outlook messaging is integrated into the Microsoft 365 suite, widely used in the professional world and allowing optimized productivity and better teamwork. It thus provides access to numerous services from the Redmond firm.

Outlook messaging is integrated into the Microsoft 365 suite, widely used in the professional world and allowing optimized productivity and better teamwork. It thus provides access to numerous services from the Redmond firm.

Source : The Hacker News, X-Force

Mélina LOUPIA

Mélina LOUPIA

Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from...

Read other articles

Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from the Facebook generation that still fascinates the internal war between Mac and PC. As a wise woman, the Internet, its tools, practices and regulation are among my favorite hobbies (that, lineart, knitting and bad jokes). My motto: to try it is to adopt it, but in complete safety.

Read other articles





Source link -99