Brazilian law enforcement, in collaboration with Slovak cybersecurity firm ESET, has successfully apprehended individuals responsible for the Grandoreiro banking trojan. The operation involved serving arrest warrants and conducting searches in various states, targeting individuals believed to hold significant roles in the Grandoreiro operation hierarchy. ESET contributed to the effort by uncovering a design flaw in Grandoreiro’s network protocol, which aided in identifying patterns related to victimology. Grandoreiro, categorized among Latin American banking trojans, has been active since 2017 and primarily targets countries such as Spain, Mexico, Brazil, and Argentina.
The banking trojan exhibits multifaceted capabilities, including data theft through keyloggers and screenshots, as well as the extraction of bank login information through overlays on targeted banking sites. The threat actors behind Grandoreiro employ phishing campaigns as part of their attack chain, using decoy documents or malicious URLs to deploy the malware. ESET’s investigation revealed that Grandoreiro monitors foreground windows to identify web browser processes related to banking, initiating communication with its command-and-control server when a match is found. The malware’s flawed implementation of its RealThinClient network protocol allowed for the identification of around 551 unique victims connecting to the servers daily on average.
Furthermore, ESET’s findings indicated that the Grandoreiro operators have been using a domain generation algorithm (DGA) since around October 2020, dynamically generating destination domains for command-and-control traffic. This approach enhances the malware’s resilience by making it challenging to block or track. The disrupted operation by Brazilian law enforcement aimed at high-ranking individuals within the Grandoreiro operation hierarchy, showcasing collaborative efforts to combat cyber threats.
Reference:
