Although the key operators were arrested in early 2024, Grandoreiro continues to be used by its partners in new campaigns. Kaspersky Global Research and Analysis Team (GReAT) discovered a new light version of the banking trojan focused on Mexico targeting around 30 banks.
Remaining one of the most active threats globally, Grandoreiro accounts for around 5% of banking trojan attacks this year. Mexico is among the most targeted countries by its variants, including the light version, having a record of 51,000 incidents in the same year.
After assisting an INTERPOL-coordinated action, Kaspersky discovered that the group’s codebase had been split into lighter, fragmented versions of the trojan, to continue its attacks. Recent analysis has identified a specific light version focused primarily on Mexico, which has been used to target approximately 30 financial institutions. The creators likely have access to the source code and are launching new campaigns using the simplified legacy malware.
Fabio Assolini, head of the Latin American (GReAT) at Kaspersky, explained that Grandoreiro uniquely operates from the traditional ‘Malware-as-a-Service’ model. Instead of seeing it in the announcements on underground forums, access to the malware is limited.
“Fragmented and lighter versions may represent a trend that could extend beyond Mexico and into other regions, including beyond Latin America. However, we believe that only some trusted affiliates have access to the malware source code to develop such lighter versions,” shared Assolini.
Kaspersky also mentioned new tactics based on the latest samples of the primary malware from 2024: It records mouse activity to mimic real user patterns, aiming to evade detection by machine learning-based security systems that analyze behavior. By replaying natural mouse movements, the malware can trick anti-fraud tools into seeing the activity as legitimate.
What’s more, Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS), which Kaspersky has never seen being used in malware. CTS aims to encrypt the malicious code strings.
“Grandoreiro has a large and complex structure, which would make it easier for security tools or analysts to detect if its strings were not encrypted. This is likely why they introduced this new technique – to complicate the detection and analysis of their attacks,” Fabio Assolini elaborated.
Grandoreiro is a global financial threat, targeting over 1,500 financial institutions and 276 cryptocurrency wallets across 45 countries and territories, with Asia and Africa being the new list of targets.
More details about this banking trojan are on Securelist. Comprehensive Grandoreiro analysis and overview were discussed by GReAT at Kaspersky’s sixteenth Security Analyst Summit (SAS) on October 22-25, 2024, in Bali.
Leave a comment