Pierluigi Paganini
May 20, 2024
IBM X-Force warns of a new Grandoreiro banking trojan campaign that has been ongoing since March 2024. Operators behind the Grandoreiro banking trojan have resumed operations following a law enforcement takedown in January.
The recent campaign is targeting over 1,500 banks in more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific. The banking Trojan is likely operated as a Malware-as-a-Service (MaaS).
Grandoreiro is a modular backdoor that supports the following capabilities:
The latest version shows major updates within the string decryption and domain generating algorithm (DGA), it can also use Microsoft Outlook clients on infected hosts to spread further phishing emails.
Traditionally limited to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded their targets to include entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). The recent campaign demonstrates that operators are expanding the malware’s deployment globally, starting with South Africa.
In each attack observed by the experts, threat actors instructed recipients to click on a link to view an invoice, fee, account statement, or make a payment, depending on the impersonated entity. If the user is in a targeted country (Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, while a ZIP file is downloaded in the background. These ZIP files contain a large executable disguised as a PDF icon, created the day before or the day of the email being sent.
The loader bloated to a size of more than 100MB to prevent automatic anti-virus scanning. To circumvent automated execution, it displays a small CAPTCHA pop-up imitating Adobe PDF reader, which requires a click to continue with the execution.
The loader prevents the execution in a sandbox by verifying if the client is a legitimate victim, it enumerates basic victim data and sends it back to its C2. Finally the loader downloads, decrypts and executes the Grandoreiro banking trojan.
The malware doesn’t continue execution if the public IP associated with infected systems was from Russia, Czechia, Poland, or the Netherlands. It also prevented infections on Windows 7 machines in the US without antivirus.
The banking Trojan establishes persistence via the Windows registry, then it uses a reworked DGA to connect with a C2 server awaiting further instructions.
“One of Grandoreiro’s most interesting features is its capability to spread by harvesting data from Outlook and using the victim’s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed.” states the report. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”
To interact with the local Outlook client, the malware relies on the Outlook Security Manager tool, preventing that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.
“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, banking Trojan)
