Malware that steals bank data is back despite arrests

Despite a recent crackdown, the Grandoreiro banking trojan has been actively targeting 1500 banks globally, an investigation shows.

IBM X-Force has identified several large-scale phishing campaigns that have been distributing the Grandoreiro banking trojan since March 2024.

This banking trojan has been known to target Latin America, Spain, and Portugal. However, the new wave of attacks has expanded its scope to include regions in Central and South America, Africa, Europe, and the Pacific, targeting 1500 banks globally. Also, the researchers see significant technical improvements to the malware itself.

The malware is distributed via an email with a malicious link impersonating governmental entities or other legitimate organizations, such as banks or financial institutions.

Grandoreiro targeted banking applications per country. Source: IBM X-Force

In the email, threat actors instruct the recipients to click on a link to view an invoice, fee, account statement, or make a payment.

Then, they’re redirected to an image of a PDF icon while a ZIP file is downloaded in the background. These ZIP files contain a large executable disguised as a PDF that was created the day before or the day of the email being sent.

By harvesting the emails, Grandoreiro can further spread through infected victim inboxes, which likely contributes to a large volume of spam.

Once installed on a victim’s system, Grandoreiro operates as a typical banking trojan, aiming to steal sensitive financial information. Once installed, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups. It collects data such as usernames, operating system information, device runtime, and most importantly, bank identifiers.

Phishing email. Source: IBM X-Force

The trojan is likely operated as malware-as-a-service (MaaS) to commit banking fraud. So, despite a crackdown by law enforcement in January 2024, other cybercriminals continue to use the malware in their attacks.

At the end of January, Brazilian authorities shut down a criminal gang operating malware responsible for the theft of $3.9 million in 2019. In 2021, Spain arrested 16 suspects laundering funds stolen through the Mekotio and Grandoreiro malware campaigns.

According to Interpol, Grandoreiro has been considered a major cybersecurity threat across Spanish-speaking countries since 2017.