Cybersecurity researchers at Kaspersky Lab have uncovered a resurgence of the notorious Grandoreiro banking trojan, despite previous claims of its operation being dismantled. The latest iteration of this malicious software targets customers of approximately 30 Mexican banks, signaling the persistent evolution of this significant cyber threat.
The Persistent Threat of Grandoreiro
Grandoreiro, active since 2016, has established itself as one of the most widespread banking trojans globally. In January 2024, an international operation involving law enforcement agencies from Brazil, Spain, and Interpol, along with ESET and Caixa Bank, led to arrests of several members of the hacking group. However, recent investigations reveal that not all Grandoreiro operators were apprehended, allowing the malware to continue its malicious activities.
Advanced Tactics and Technologies
Analysis of new Grandoreiro samples has revealed several sophisticated methods employed by the cybercriminals:
User Activity Simulation
The trojan now possesses the ability to record and replicate mouse movements, mimicking genuine clicks. This tactic is designed to circumvent security systems that analyze user behavior, making it more challenging to detect anomalous activities.
Enhanced Encryption Techniques
Grandoreiro utilizes an advanced cryptographic technique known as Ciphertext Stealing (CTS). This method allows for efficient encryption of malicious code strings, significantly complicating threat detection efforts by security solutions.
Global Impact and Geographic Distribution
According to Kaspersky Lab’s report, Grandoreiro remains one of the most active global threats in the cybersecurity landscape:
- Grandoreiro accounts for approximately 5% of all banking trojan attacks worldwide
- The majority of attacks have been recorded in Mexico, with 51,000 reported incidents
- In 2024, various versions of the trojan targeted users of over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries
Code Fragmentation and Adaptation
Following the arrests of some Grandoreiro operators, the malware’s codebase has been divided into lighter versions targeting fewer objectives. Cybersecurity experts have identified two distinct codebases being used simultaneously:
- New samples with updated code incorporating the latest evasion techniques
- Older samples based on the previous codebase, specifically targeting Mexican bank customers
This code fragmentation strategy allows cybercriminals to adapt to law enforcement actions and continue their malicious activities while minimizing the risk of complete detection and shutdown.
The persistence and evolution of Grandoreiro underscore the critical importance of robust cybersecurity measures for financial institutions and their customers. Implementing multi-layered security approaches, including regular software updates, reliable antivirus solutions, and user awareness training on social engineering tactics, can significantly reduce the risk of successful attacks. As Grandoreiro continues to adapt and target new regions, international cooperation in cybersecurity remains crucial in combating such global threats and protecting the integrity of financial systems worldwide.
