Grandoreiro, a banking trojan that once targeted financial institutions in Latin America, has resurfaced. Previously thought to have been eliminated in a joint operation by the Brazilian Federal Police, new reports from Flashpoint indicate that the malware is now targeting victims in North America, Europe, Asia, and Africa. With this once regional threat now becoming global, it is crucial to understand how Grandoreiro operates and how to defend against it.
Grandoreiro aims to steal financial information, credentials, and perform unauthorized money transfers. The malware is primarily spread through phishing emails containing malicious links or attachments. After the initial infection, Grandoreiro uses a unique module that allows it to spread further through local Microsoft Outlook installations.
The trojan utilizes email templates sent by a command-and-control (C2) server to distribute phishing emails via Outlook. It scans the victim's inbox, filtering out unwanted addresses, and sends collected emails with malicious links to ZIP archives or MSI installer files disguised as PDF documents. These files contain the Grandoreiro loader, which is designed to infect additional systems and continue the malware's spread.
The loader, written in Borland Delphi, is over 100 MB in size to evade antivirus scanning. Upon execution, it requires user interaction with a fake Adobe Acrobat CAPTCHA to prevent execution in sandbox environments. After this, the malware conducts anti-analysis checks using standard APIs to enumerate processes and search for analysis tools and other sandbox indicators.
If the target machine passes the anti-analysis check, the trojan collects key information about the victim, including the public IP address, location, username, computer name, OS version, installed antivirus software, presence of Outlook, the number of cryptocurrency wallets, and banking software. This data is sent to the C2 server in encrypted form.
Grandoreiro primarily targets financial data and login credentials, facilitating illegal money transfers. It requires interaction with the threat actor to perform the following actions:
- Disabling mouse input and locking the victim's screen.
- Setting up remote control to steal money without interruption.
- Creating fake login screens or using keylogging to steal credentials.
- Downloading and executing additional malware.
Conduct regular security awareness training for employees,
educating them on how to recognize and avoid such threats.