Multiple variants of Grandoreiro are accounting for global banking trojan attacks across the world. (Image source: Adobe Stock)
Kaspersky, a global cybersecurity and digital privacy company, has raised the alarm bells around the worrying Grandoreiro banking trojan which has been causing havoc around the world
According to the firm, Grandoreiro has been active since 2016 and has targeted more than 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries this year alone. This accounted for around 5% of banking Trojan attacks this year and the newly-discovered light version variant is also proving cause for concern, having already targeted around 30 banks in Mexico.
Among the countries that have been affected by Grandoreiro is a number from the African continent, including Algeria, Angola, Ethiopia, Ghana, Côte d'Ivoire, Kenya, Mozambique, Nigeria, South Africa, Tanzania, and Uganda.
An evolving threat
After assisting an INTERPOL-coordinated action, which has led to Brazilian authorities arresting operators behind a Grandoreiro banking trojan operation, Kaspersky discovered that the group’s codebase has been split into lighter, fragmented versions of the trojan, to continue its attacks. This is what has caused problems for financial institutions in Mexico this year. The creators likely have access to the source code and are launching new campaigns using the simplified legacy malware, Kaspersky has reported.
“All the recent developments underscore the evolving nature of the threat. Fragmented and lighter versions may represent a trend that could extend beyond Mexico and into other regions, including beyond Latin America,” said Fabio Assolini, head of the Latin American Kaspersky Global Research and Analysis Team (GReAT). “However, we believe that only some trusted affiliates have access to the malware source code to develop such lighter versions. Grandoreiro operates differently from the traditional ‘Malware-as-a-Service’ model we are accustomed to. You won’t find announcements on underground forums selling the Grandoreiro package; instead, access to it appears to be limited.”
Multiple variants of Grandoreiro, including the new light version and the primary malware, are accounting for global banking trojan attacks across the world, making it one of the most active threats worldwide, according to Kaspersky.
The company also analysed the newer samples of the primary Grandoreiro from 2024, and observed new tactics. It records mouse activity to mimic real user patterns, aiming to evade detection by machine learning-based security systems that analyse behaviour. By replaying natural mouse movements, the malware aims to trick anti-fraud tools into seeing the activity as legitimate.
Grandoreiro has also adopted a cryptographic technique known as Ciphertext Stealing (CTS), which Kaspersky has never seen being used in malware. In this case, its aim is to encrypt the malicious code strings.
To protect from financial malware, Kaspersky security experts recommend key steps organisations can take including to enable a Default Deny policy for critical user profiles; provide cybersecurity awareness training to staff; and use protection solutions for mail servers with anti-phishing capabilities such as Kaspersky Security for Mail Server.
For individuals, Kaspersky recommends vigilance (never open suspicious-looking messages, only install applications from a reliable source, refrain from approving rights or permissions without ensuring they match the applications feature set) and to make sure of a reliable security solution such as Kaspersky Premium.