A new report from IBM X-Force exposes changes in the Grandoreiro malware landscape. The banking trojan is now capable of targeting more than 1,500 global banks in more than 60 countries, and it has been updated with new features.

Also, Grandoreiro’s targeting has become wider, as it initially only targeted Spanish-speaking countries, while recent attack campaigns targeted countries in Europe, Asia and Africa. In addition, the malware is now sending phishing emails directly from the victim’s Microsoft Outlook local client to recipients’ email addresses found in the local system.

What is Grandoreiro?

According to Interpol, the Grandoreiro banking trojan has been a major threat across Spanish-speaking countries since 2017. The malware’s main functionalities allow cybercriminals to control devices on the infected computer, enable keylogging, handle windows and processes, open a browser and execute JavaScript inside it, upload or download files, and send emails, in addition to its banking trojan capabilities.

Analysis of different attack campaigns reveals that many operators are involved in Grandoreiro attacks, as stated by cybersecurity company Kaspersky, which wrote in July 2020, “It is still not possible to link this malware to any specific cybercrime group, although it is clear that the campaign is using a MaaS (Malware-as-a-Service) business model.”

SEE: Kaspersky Study: Devices Infected With Data-Stealing Malware Increased by 7 Times Since 2020

Arrests of suspected cybercriminals in relation to Grandoreiro happened in 2021, with 16 suspects being caught by the Spanish Police on charges of laundering funds stolen through two banking trojans, including Grandoreiro. More recently, Brazilian authorities arrested five programmers and administrators behind the banking malware, who were suspected to have defrauded victims of more than €3.5 million.

Yet the malware, developed in Brazil, is still active and has started expanding its target list to other countries, such as Japan, Netherlands, Italy and South Africa, as reported in the new research from IBM’s X-Force team.

How do Grandoreiro campaigns work?

All Grandoreiro campaigns start with phishing emails

Since March 2024, several Grandoreiro phishing campaigns have impersonated entities in Mexico, such as Mexico’s Tax Administration Service, Mexico’s Federal Electricity Commission or the Revenue Service of Argentina.

Different social engineering techniques have been used since March 2024 in the emails to entice the user to click a link: a final notice to pay a debt, a reminder that one can access their account statement in PDF or XML format or a reminder to read details on a compliance notice.

Sample phishing email containing a malicious link.
Sample phishing email containing a malicious link. Image: IBM X-Force

In those phishing campaigns, only users originating from specific countries — Mexico, Chile, Spain, Costa Rica, Peru, Argentina — are being redirected to a payload when clicking on the link provided in the email.

Following the recent arrests involving Grandoreiro operators, researchers observed a surge in campaigns targeting countries beyond the usual Spanish-speaking ones, including Japan, the Netherlands, Italy and South Africa, with emails written in English.

Sample phishing email targeting South African users.
Sample phishing email targeting South African users. Image: IBM X-Force

Next comes the infection chain

After the user clicks the malicious link in the phishing email, a custom loader is launched, presenting a fake Adobe PDF Reader captcha, which requires a click to continue with the execution, probably to distinguish between real users and automated systems such as sandboxes.

Then, the loader collects some victim data and sends it to the command&control server using encryption based on AES and base64 algorithms. The data sent to the C2 consists of the computer and user names, the operating system version, the antivirus name, the victim’s public IP address, and a list of running processes. In addition, the loader checks for the existence of the Microsoft Outlook client as well as crypto wallets and special banking security products such as IBM Trusteer or Topaz OFD.

The loader can be configured to disallow victims from specific countries based on their IP addresses. One malware sample found by IBM X-Force stopped if the user was located in Russia, Czech Republic, Poland or Netherlands.

If all conditions are met, the Grandoreiro banking trojan is downloaded, decrypted via an RC4-based algorithm and executed.

Targeting more than 1,500 banks worldwide

Grandoreiro’s list of targeted applications has increased to more than 1,500 banks worldwide, according to IBM X-Force, with bank applications also tied to regions. For example, if the victim’s country is identified as Belgium, the malware will search for all targeted banking applications associated with the European region.

In addition, 266 unique strings are used by the malware to identify cryptocurrency wallets.

Grandoreiro’s targeted banking applications per country.
Grandoreiro’s targeted banking applications per country. Image: IBM X-Force

Recent updates in Grandoreiro

New DGA algorithm

Researchers Golo Mühr and Melissa Frydrych analyzed the malware in depth and found the malware, which traditionally relied on domain generation algorithms to find its C2 server references, contained a reworked DGA.

The new algorithm introduces multiple seeds for its DGA, “used to calculate a different domain for each mode or functionality of the banking trojan, allowing separation of C2 tasks among several operators as part of their Malware-as-a-Service operation” as stated by the researchers.

Grandoreiro’s new DGA algorithm.
Grandoreiro’s new DGA algorithm. Image: IBM X-Force

For one analyzed sample, for a given day, 12 domains could be used as C2 domains, with four of them being active on that day and leading to Brazilian-based IP addresses.

C2 server domains for a Grandoreiro sample for April 17, 2024.
C2 server domains for a Grandoreiro sample for April 17, 2024. Image: IBM X-Force

Microsoft Outlook abuse

Recent versions of Grandoreiro abuse the local Microsoft Outlook software when available on an infected computer.

The malware interacts with the Outlook Security Manager Tool, a tool designed to develop Outlook add-ins. The use of the tool allows the malware to disable alerts within Outlook before it starts harvesting all sender email addresses found in the victim’s mailbox, filtering the email addresses to avoid collecting unwanted ones such as those containing “noreply,” “feedback” or “newsletter,” to name a few from the malware’s blocklist.

In addition, the malware scans parts of the victim’s folders recursively to hunt for more email addresses, looking for files with specific extensions, including .csv, .txt, .xls and .doc.

The malware then starts sending spam based on phishing templates it received from its C2 server before deleting all the sent emails from the victim’s mailbox.

In order to avoid being caught by the user who could notice suspicious behavior from the computer, the malware only starts sending the emails when the last input on the machine is at least five minutes old or longer in some malware variants.

How to protect from this Grandoreiro malware threat

  • Do careful network analysis. In particular, multiple consecutive requests to ip-api.com/json must trigger alerts and investigations, as it might be an indicator of a Grandoreiro infection.
  • Monitor run keys in the Windows registry. Any addition outside of a normal software installation should be investigated closely to detect malware activity.
  • Block pre-calculated DGA domains via DNS.
  • Deploy endpoint security software on every computer to detect malware.
  • Educate users and staff to detect phishing emails and potential fraud attempts.
  • Keep all hardware and software up to date and patched in order not to be infected via a common vulnerability.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday