…cluster, which accounts for 93.6% of all C&C servers and 94% of all victims, includes a wide variety of dga_ids, indicating the extensive reach of Grandoreiro. In contrast, the smallest cluster, with only one dga_id, accounts for 1.6% of C&C servers and 1.1% of victims.
The collaboration between ESET and the Federal Police of Brazil to disrupt the Grandoreiro botnet was a significant success. ESET’s technical analysis and data provided crucial information for identifying and arresting the individuals in control of the botnet’s servers. This joint effort highlights the importance of public-private partnerships in combating cybercrime.
Grandoreiro, a Latin American banking trojan, has been actively targeting Brazil, Mexico, and Spain since at least 2017. Its initial focus was on Brazil and Mexico, but in recent years, it expanded its operations to include Spain. However, in 2023, there was a clear shift in focus towards Mexico and Argentina.
The banking trojan’s functionality has remained relatively unchanged since 2020, with the exception of new domain generation algorithm (DGA) logic. Grandoreiro’s modus operandi involves monitoring web browser processes to initiate communication with its C&C server when bank-related strings are detected. Once a victim’s machine is compromised, the malware enables various malicious activities, such as logging keystrokes and displaying fake pop-up windows to steal the victim’s money.
ESET’s automated systems have been tracking Grandoreiro’s activities since 2017, extracting crucial information such as version details, C&C servers, and DGA configurations. The DGA configuration, hardcoded in the malware’s binary, generates multiple domains that resolve to active C&C server IP addresses. The abuse of No-IP’s Dynamic DNS service and cloud providers like AWS and Azure further complicates efforts to disrupt the botnet.
Despite the challenges posed by Grandoreiro’s constantly evolving nature, ESET’s long-term tracking systems have continued to monitor the banking trojan’s activities. The collaboration with the Federal Police of Brazil is a testament to the effectiveness of ESET’s expertise and resources in contributing to law enforcement efforts.
Furthermore, ESET’s research has revealed the clustering of DGA configurations and their associated dga_ids, providing valuable insights into Grandoreiro’s infrastructure. The data obtained from tracking the botnet’s activities has shed light on the extensive reach of Grandoreiro and the complexities involved in dismantling its operations.
In summary, ESET’s collaboration with the Federal Police of Brazil to disrupt the Grandoreiro botnet has demonstrated the value of public-private partnerships in combating cybercrime. The ongoing efforts to track and analyze the activities of banking trojans like Grandoreiro are essential in protecting individuals and organizations from the threats posed by these sophisticated malware. By leveraging technical expertise and data analysis, ESET continues to play a crucial role in identifying, disrupting, and ultimately dismantling malicious cyber operations.