The perpetrators behind the Grandoreiro banking trojan, which operates on Windows systems, have reemerged in a global campaign starting from March 2024, following a law enforcement takedown earlier in January.
This widespread phishing assault, likely facilitated through a malware-as-a-service (MaaS) framework by collaborating cybercriminals, is aimed at over 1,500 banks worldwide, covering more than 60 nations across Central and South America, Africa, Europe, and the Indo-Pacific, as reported by IBM X-Force.
While Grandoreiro has traditionally concentrated its efforts in Latin America, Spain, and Portugal, this expansion signals a strategic shift after attempts to dismantle its infrastructure by Brazilian authorities.
Accompanying this broader targeting scope are notable enhancements to the trojan itself, indicating ongoing development efforts.
According to security researchers Golo Mühr and Melissa Frydrych, analysis of the malware reveals significant updates to the string decryption and domain generating algorithm (DGA), as well as the incorporation of Microsoft Outlook clients on compromised hosts to propagate additional phishing emails.
The attack begins with phishing emails prompting recipients to click on a link to view an invoice or make a payment, tailored to mimic various government entities in the messages.
Users who fall for the ruse and click the link are redirected to an image resembling a PDF icon, leading to the download of a ZIP archive containing the Grandoreiro loader executable.
This custom loader, intentionally inflated to over 100 MB, aims to evade detection by anti-malware scanning tools. It verifies that the compromised host is not within a sandboxed environment, collects basic victim data for transmission to a command-and-control (C2) server, and downloads and executes the primary banking trojan.
Furthermore, the trojan component commences its operation by establishing persistence through the Windows Registry, utilizing a revised DGA to establish connections with a C2 server for further directives.
Grandoreiro boasts a variety of commands that enable threat actors to remotely seize control of the system, execute file operations, and activate special modes, including a new module designed to extract Microsoft Outlook data and misuse the victim’s email account to disseminate spam messages to additional targets.
“To interact with the local Outlook client, Grandoreiro utilizes the Outlook Security Manager tool, a software employed to develop Outlook add-ins,” the researchers explained. “This approach bypasses security alerts triggered by the Outlook Object Model Guard upon detecting access to protected objects.”
“By exploiting the local Outlook client for spamming, Grandoreiro can propagate through infected victim inboxes via email, likely contributing to the observed surge in spam volume associated with Grandoreiro.”
Source: thehackernews.com
