TLDR:
– Brazilian law enforcement has arrested several operators behind the Grandoreiro banking trojan
– Slovak cybersecurity firm ESET assisted in the operation and identified a design flaw in Grandoreiro’s network protocol
Brazilian law enforcement, with assistance from Slovak cybersecurity firm ESET, has dismantled the Grandoreiro banking trojan and arrested several of its key operatives. The Federal Police of Brazil served five temporary arrest warrants and 13 search and seizure warrants across multiple states in Brazil. ESET helped uncover a design flaw in Grandoreiro’s network protocol, which aided in identifying victimology patterns. Grandoreiro is one of several Latin American banking trojans and has been active since 2017, primarily targeting countries like Spain, Mexico, Brazil, and Argentina.
Proofpoint previously revealed details of a phishing campaign in late October 2023 that distributed an updated version of Grandoreiro to targets in Mexico and Spain. The trojan has the capability to steal data through keyloggers and screenshots, as well as siphon bank login information. It can also display fake pop-up windows and block the victim’s screen. The attack chain typically starts with phishing lures that lead to the deployment of the malware and subsequent contact with a command-and-control server.
ESET discovered that Grandoreiro uses a domain generation algorithm (DGA) to generate destination domains for its command-and-control traffic. This makes it more difficult to block or track the infrastructure. The trojan also monitors web browser processes to determine if a victim is visiting a target banking site, at which point it initiates communication with the server. ESET found that on average, the trojan connected to 551 unique victims per day, mainly in Brazil, Mexico, and Spain. Additionally, an average of 114 new unique victims connected to the servers each day.
The operation by Brazilian law enforcement targeted individuals believed to be high-ranking members of the Grandoreiro operation. This arrest and dismantlement are significant in curbing the activities of this banking trojan and protecting potential victims from financial losses.