A criminal organization known as Grandoreiro, which has been using banking malware to commit electronic banking fraud in Spain, Mexico, Brazil, and Argentina since 2017, has been seized by authorities. The group has moved at least 3.6 million euros through fraudulent actions since 2019, with the Spanish financial institution Caixa Bank reporting potential losses of 110 million euros due to fraud with Brazilian banking malware.
Efforts to take down the Grandoreiro botnet have been launched by cybersecurity firm ESET and the Brazilian Federal Police. Based on evidence provided by Caixa Bank, which indicated that the operators and programmers of the banking malware were located in Brazil, investigations were initiated. The infrastructure for the Grandoreiro malware operations was found to be hosted on cloud servers, with operators misusing cloud service providers like AWS and Azure to host their network infrastructure.
The criminal group targeted victims by remotely accessing their computers through command and control programs, allowing them to engage in cybertheft. Phishing emails were used to infect victims’ devices, tricking them into downloading malicious files by pretending to be official communications such as court subpoenas and invoices. Funds obtained through fraudulent activities were transferred to the accounts of criminal group members who had lent their accounts for illegal fund movement.
Grandoreiro malware was used to block victims’ screens, log keystrokes, simulate mouse and keyboard activity, share victims’ screens, and display fake pop-up windows. ESET researchers revealed that the malware used a domain generation algorithm (DGA) to communicate with a command and control (C&C) server, generating multiple domains with various configurations that resolve to the same IP address.
The disruption of Grandoreiro’s operations involved federal police officers in Brazil executing search and seizure orders and temporary arrest warrants in five different states. Court decisions to seize and restrict assets and valuables were also enforced to cripple the criminal enterprise and recover assets. The operation specifically targeted individuals believed to be at the top of the Grandoreiro operation structure.
According to ESET’s findings, nearly 41% of Grandoreiro victims are from Brazil, with 30% in Mexico and 28% in Spain. Less than 1% of victims come from Argentina, Portugal, and Peru, with an average of 551 new victims connected each day. The disruption operation by the Brazilian Federal Police aims to dismantle the Grandoreiro criminal organization and bring those responsible to justice.
In conclusion, the seizure of the Grandoreiro criminal organization marks a significant victory in the fight against electronic banking fraud in multiple countries. The coordinated efforts of cybersecurity experts and law enforcement agencies have led to the disruption of the malware operations and the targeting of key individuals within the criminal enterprise. As the investigation and legal proceedings continue, there is hope for further recovery of assets and the prevention of future cybercrimes perpetrated by similar criminal organizations.