Despite the arrest of key operators in early 2024, Grandoreiro continues to be used by its partners in new campaigns.
Kaspersky Global Research and Analysis team (GReAT) has reportedly “discovered a new light version focused on Mexico, targeting around 30 banks.”
These findings are to be highlighted at the Security Analyst Summit (SAS) 2024.
Remaining one of the “most active” threats and targeting users of more than 1,700 banks, Grandoreiro variants “account for around five percent of banking trojan attacks this year.”
Mexico is one of the most targeted countries by “various Grandoreiro strains, including the new light version, seeing 51,000 recorded incidents this year.”
After assisting an INTERPOL-coordinated action, which has led to Brazilian authorities arresting operators behind a Grandoreiro banking trojan operation, Kaspersky discovered that the group’s “codebase has been split into lighter, fragmented versions of the trojan, to continue its attacks.”
Recent analysis has identified a specific light version focused primarily on Mexico, which has reportedly “been used to target approximately 30 financial institutions.
The creators likely have access to the source code and are “launching new campaigns using the simplified legacy malware.”
Multiple variants of Grandoreiro, including the new light version and the primary malware, accounted for “approximately five percent of global banking trojan attacks detected by Kaspersky in 2024, making it one of the most active threats worldwide.”
Kaspersky has analyzed the newer samples of the primary Grandoreiro from 2024, and observed new tactics. It records mouse activity to “mimic real user patterns, aiming to evade detection by machine learning-based security systems that analyze behavior.”
By replaying natural mouse movements, the malware aims to “trick anti-fraud tools into seeing the activity as legitimate.”
Additionally, Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS), which Kaspersky has “never seen being used in malware. In this case, its aim is to encrypt the malicious code strings.”
Kaspersky data indicates Grandoreiro has been active since 2016.
In 2024, the threat targets 1,700+ financial institutions and 276 crypto wallets across 45 countries and territories.
The Grandoreiro analysis and overview is to be presented by GReAT at Kaspersky’s sixteenth Security Analyst Summit (SAS), which takes place from October 22-25, 2024, in Bali.
As covered, Kaspersky is a cybersecurity and digital privacy company founded in 1997.
With billion+ devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is transforming into solutions to protect businesses, critical infrastructure, governments and consumers.
The company’s security portfolio includes endpoint protection, specialized security products and services, as well as Cyber Immune solutions to “fight sophisticated and evolving digital threats.”
They help more than 200,000 corporate clients protect “what matters most to them.”