Brazilian authorities have taken aggressive action against the perpetrators of the Grandoreiro malware, leading to the arrest of several individuals involved in the criminal operation. The Federal Police of Brazil executed a series of arrest and search and seizure warrants in multiple states, including São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso, as part of their crackdown on the malicious activities of the Grandoreiro operators.
The operation was further bolstered by the assistance provided by Slovak cybersecurity firm ESET, which played a pivotal role in identifying a critical design flaw in the Grandoreiro network protocol. This flaw enabled ESET to recognize patterns in the victims targeted by the malware, contributing to the dismantling of the criminal operation.
Grandoreiro is part of a breed of Latin American banking trojans, such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, that have been known to specifically target countries like Spain, Mexico, Brazil, and Argentina. The malware has been active since 2017, posing a significant threat to the financial infrastructure and personal information of individuals in the affected regions.
One of the recent campaigns involving Grandoreiro was disclosed by Proofpoint in late October 2023, which highlighted a phishing campaign distributing an updated version of the malware to targets in Mexico and Spain. The banking trojan is capable of stealing sensitive data through keyloggers and screenshots, as well as siphoning bank login information from overlays when victims visit specific banking sites targeted by the threat actors.
The malware also has the ability to display fake pop-up windows and block the victim’s screen, interfering with their ability to defend against the attack. The attack chains typically begin with phishing lures that lead to the deployment of the malware, allowing it to establish contact with a command-and-control (C&C) server for remote control.
ESET’s analysis of Grandoreiro revealed that the malware periodically monitors web browser processes to initiate communication with the C&C server when a window belonging to a web browser process is found. This sophisticated approach allows the threat actors to maintain control over the infected machines, making it challenging for victims to detect and thwart the malicious activities.
Furthermore, the threat actors have employed a domain generation algorithm (DGA) since October 2020, dynamically identifying a destination domain for C&C traffic. This tactic makes it harder to block, track, or take over the infrastructure associated with Grandoreiro. The malicious infrastructure of Grandoreiro predominantly relies on IP addresses provided by Amazon Web Services (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging from 1 day to 425 days on average.
The recent large-scale effort by the Federal Police of Brazil is a commendable step in disrupting the Grandoreiro operation, targeting individuals suspected to be high-ranking members of the criminal hierarchy responsible for the malware. This significant disruption is a significant win in the ongoing battle against cybercriminal activities that threaten the financial security and privacy of individuals in Latin American countries.
The action taken by Brazilian law enforcement and the collaborative efforts of cybersecurity firms underscore the importance of proactive measures to combat the evolving threats posed by banking trojans and other forms of malware. The successful dismantling of the Grandoreiro operation is a testament to the effectiveness of coordinated efforts between law enforcement agencies and cybersecurity experts in tackling sophisticated cyber threats.