HomeRisk ManagementsBrazilian Feds Dismantle Grandoreiro Banking Trojan and Arrest Top Operatives

Brazilian Feds Dismantle Grandoreiro Banking Trojan and Arrest Top Operatives

Published on

spot_img

Brazilian authorities have taken aggressive action against the perpetrators of the Grandoreiro malware, leading to the arrest of several individuals involved in the criminal operation. The Federal Police of Brazil executed a series of arrest and search and seizure warrants in multiple states, including São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso, as part of their crackdown on the malicious activities of the Grandoreiro operators.

The operation was further bolstered by the assistance provided by Slovak cybersecurity firm ESET, which played a pivotal role in identifying a critical design flaw in the Grandoreiro network protocol. This flaw enabled ESET to recognize patterns in the victims targeted by the malware, contributing to the dismantling of the criminal operation.

Grandoreiro is part of a breed of Latin American banking trojans, such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, that have been known to specifically target countries like Spain, Mexico, Brazil, and Argentina. The malware has been active since 2017, posing a significant threat to the financial infrastructure and personal information of individuals in the affected regions.

One of the recent campaigns involving Grandoreiro was disclosed by Proofpoint in late October 2023, which highlighted a phishing campaign distributing an updated version of the malware to targets in Mexico and Spain. The banking trojan is capable of stealing sensitive data through keyloggers and screenshots, as well as siphoning bank login information from overlays when victims visit specific banking sites targeted by the threat actors.

The malware also has the ability to display fake pop-up windows and block the victim’s screen, interfering with their ability to defend against the attack. The attack chains typically begin with phishing lures that lead to the deployment of the malware, allowing it to establish contact with a command-and-control (C&C) server for remote control.

ESET’s analysis of Grandoreiro revealed that the malware periodically monitors web browser processes to initiate communication with the C&C server when a window belonging to a web browser process is found. This sophisticated approach allows the threat actors to maintain control over the infected machines, making it challenging for victims to detect and thwart the malicious activities.

Furthermore, the threat actors have employed a domain generation algorithm (DGA) since October 2020, dynamically identifying a destination domain for C&C traffic. This tactic makes it harder to block, track, or take over the infrastructure associated with Grandoreiro. The malicious infrastructure of Grandoreiro predominantly relies on IP addresses provided by Amazon Web Services (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging from 1 day to 425 days on average.

The recent large-scale effort by the Federal Police of Brazil is a commendable step in disrupting the Grandoreiro operation, targeting individuals suspected to be high-ranking members of the criminal hierarchy responsible for the malware. This significant disruption is a significant win in the ongoing battle against cybercriminal activities that threaten the financial security and privacy of individuals in Latin American countries.

The action taken by Brazilian law enforcement and the collaborative efforts of cybersecurity firms underscore the importance of proactive measures to combat the evolving threats posed by banking trojans and other forms of malware. The successful dismantling of the Grandoreiro operation is a testament to the effectiveness of coordinated efforts between law enforcement agencies and cybersecurity experts in tackling sophisticated cyber threats.

Source link

Latest articles

FortiBleed Credential Theft Connected to INC and Lynx Ransomware Activities

The newly uncovered FortiBleed campaign has raised significant security alarms within the cybersecurity community,...

Pegasus Spyware Targets European Parliament Member Investigating Spyware Misuse

A recently unveiled forensic investigation has shed light on a serious breach of privacy...

Qilin Leads the Ransomware Market, According to Infosecurity Magazine

The ransomware ecosystem is undergoing significant transformation, shifting from fragmentation toward a phase of...

New NetScaler Vulnerability Similar to CitrixBleed Under Active Exploitation

Smaller Leak But Still Dangerous: A New Vulnerability in Citrix Technologies In a recent security...

More like this

FortiBleed Credential Theft Connected to INC and Lynx Ransomware Activities

The newly uncovered FortiBleed campaign has raised significant security alarms within the cybersecurity community,...

Pegasus Spyware Targets European Parliament Member Investigating Spyware Misuse

A recently unveiled forensic investigation has shed light on a serious breach of privacy...

Qilin Leads the Ransomware Market, According to Infosecurity Magazine

The ransomware ecosystem is undergoing significant transformation, shifting from fragmentation toward a phase of...