The threat actors behind the Windows-based Grandoreiro banking trojan have launched a global campaign since March 2024, following a law enforcement takedown in January. This large-scale phishing operation, likely facilitated through a malware-as-a-service (MaaS) model, targets over 1,500 banks in more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-Force.
Originally focused on Latin America, Spain, and Portugal, Grandoreiro’s recent expansion suggests a strategic shift following Brazilian authorities’ efforts to dismantle its infrastructure. The malware itself has seen significant improvements, indicating ongoing development.
“Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails,” noted security researchers Golo Mühr and Melissa Frydrych.
The attacks begin with phishing emails that prompt recipients to click on a link to view an invoice or make a payment, based on the lure and the impersonated government entity. Clicking the link redirects users to an image of a PDF icon, which leads to the download of a ZIP archive containing the Grandoreiro loader executable.
The custom loader, artificially inflated to over 100 MB to evade anti-malware scanning, checks that the host is not in a sandboxed environment, collects basic victim data, and contacts a command-and-control (C2) server to download and execute the main banking trojan.
The loader also verifies the geolocation of the system, bypassing those in Russia, Czechia, Poland, and the Netherlands, as well as Windows 7 machines in the U.S. without antivirus software. Once executed, the trojan establishes persistence via the Windows Registry and uses a reworked DGA to connect with a C2 server for further instructions.
Grandoreiro supports a range of commands allowing threat actors to remotely control the system, perform file operations, and enable special modes. A notable new feature is a module that collects Microsoft Outlook data and exploits the victim’s email account to send spam messages to other targets.
“In order to interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to develop Outlook add-ins,” the researchers explained. “The main reason behind this is that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.”
“By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, contributing to the large volume of spam observed,” the researchers added.
This resurgence of Grandoreiro highlights the persistent and evolving nature of cyber threats, underscoring the need for robust security measures and vigilance among potential targets worldwide.