The Grandoreiro banking trojan has resurfaced in a global campaign after facing a crackdown by law enforcement in January. This new campaign, which began in March 2024, is targeting over 1,500 banks across more than 60 countries. The attacks are carried out through large-scale phishing emails that direct recipients to click on a link. Once clicked, users are redirected to an image of a PDF icon, which leads to the download of a ZIP archive containing the Grandoreiro loader executable. The malware has undergone significant updates and improvements, including enhancements to its string decryption and domain generating algorithm, as well as the ability to use Microsoft Outlook clients to spread phishing emails.
The expansion of the Grandoreiro campaign from its previous focus in Latin America, Spain, and Portugal to a global scale suggests a shift in strategy. It is likely that the threat actors behind the trojan are adapting to the attempts made by Brazilian authorities to shut down their infrastructure. This demonstrates the resilience and adaptability of cybercriminals, who continuously evolve their tactics to bypass security measures and carry out their malicious activities.
One of the notable updates to the malware is its use of Microsoft Outlook clients to spread phishing emails. By leveraging the local Outlook client, Grandoreiro is able to abuse the victim’s email account and send spam messages to other targets. This method allows the trojan to spread through infected victim inboxes, contributing to the large volume of spam emails observed from Grandoreiro. To achieve this, the malware utilizes the Outlook Security Manager tool, which is commonly used to develop Outlook add-ins. By using this tool, the trojan can access protected objects without triggering security alerts from the Outlook Object Model Guard.
Furthermore, the Grandoreiro trojan makes use of a malware-as-a-service (MaaS) model, suggesting that it may be facilitated by other cybercriminals. This means that individuals or groups can purchase the malware and its accompanying services to carry out attacks without having to develop the malware themselves. The MaaS model has become increasingly popular within the cybercriminal community, providing a way for less technically skilled individuals to engage in criminal activities. This trend highlights the need for increased collaboration and information sharing between law enforcement agencies and cybersecurity professionals to effectively combat these evolving threats.
The Grandoreiro banking trojan demonstrates the ongoing risks and challenges posed by sophisticated cybercriminals. Its ability to target a wide range of banks across multiple countries underscores the importance of robust cybersecurity measures for financial institutions. These attacks not only pose a threat to the banks’ customers but also to the stability of the global financial system. It is imperative that organizations invest in advanced threat detection and prevention technologies, as well as educate their employees about the risks of phishing emails and other social engineering tactics.
In conclusion, the resurgence of the Grandoreiro banking trojan in a global campaign highlights the adaptability and persistence of cybercriminals. The malware has undergone significant updates and improvements, allowing it to target banks across more than 60 countries. The use of Microsoft Outlook clients to spread phishing emails and abuse victim’s email accounts is a new tactic employed by the trojan. The MaaS model utilized by the threat actors behind Grandoreiro demonstrates the evolving nature of cybercrime and the need for increased collaboration and information sharing among cybersecurity professionals and law enforcement agencies. Financial institutions must be vigilant and invest in robust cybersecurity measures to protect themselves and their customers from these increasingly sophisticated attacks.
Source link
