Kaspersky’s Global Research and Analysis team (GReAT) has discovered a new Grandoreiro light variant focused on Mexico and initiating trojan attacks on around 30 banks. In findings to be presented at the Security Analyst Summit (SAS) 2024, Kaspersky says that despite the arrest of important operators in early 2024, Grandoreiro continues to be used by its partners in new campaigns, and the threat is expanding to Asia and Africa.
The cybersecurity company says Grandoreiro remains one of the most active threats globally and has targeted users of more than 1,700 banks. The Grandoreiro variants account for around 5% of banking trojan attacks this year. Mexico is one of the most targeted countries by various Grandoreiro strains, including the new light version, seeing 51,000 recorded incidents this year.
After assisting an INTERPOL-coordinated action, which has led to Brazilian authorities arresting operators behind a Grandoreiro banking trojan operation, Kaspersky discovered that the group’s codebase has been split into lighter, fragmented versions of the trojan, to continue its attacks. Recent analysis has identified a specific light version focused primarily on Mexico, which has been used to target approximately 30 financial institutions. The creators likely have access to the source code and are launching new campaigns using the simplified legacy malware.
“All the recent developments underscore the evolving nature of the threat,” said GReAT Latin America Head Fabio Assolini. “Fragmented and lighter versions may represent a trend that could extend beyond Mexico and into other regions, including beyond Latin America.”
“However, we believe that only some trusted affiliates have access to the malware source code to develop such lighter versions,” he added. “Grandoreiro operates differently from the traditional malware-as-a-service model we are accustomed to. You won’t find announcements on underground forums selling the Grandoreiro package; instead, access to it appears to be limited.”
Kaspersky has also analysed the newer samples of the primary Grandoreiro from 2024 and observed new tactics. It records mouse activity to mimic real user patterns, aiming to evade detection by machine learning-based security systems that analyse behaviour. By replaying natural mouse movements, the malware aims to trick anti-fraud tools into seeing the activity as legitimate.
Additionally, Grandoreiro has adopted a cryptographic technique known as ciphertext stealing, which Kaspersky has never seen being used in malware. In this case, it aims to encrypt the malicious code strings.
“Grandoreiro has a large and complex structure, which would make it easier for security tools or analysts to detect if its strings were not encrypted,” said Assolini. “This is likely why they introduced this new technique – to complicate the detection and analysis of their attacks.”
To protect from financial malware, Kaspersky security experts recommend organisations to:
-
Enable a default deny policy for critical user profiles, particularly those in financial departments; this ensures that only legitimate web resources can be accessed;
-
Provide cybersecurity awareness training to staff, especially to employees responsible for accounting, that includes instructions on how to detect phishing pages; and
-
Use protection solutions for mail servers with anti-phishing capabilities to decrease the chance of infection through a phishing email.
-
Never open links or documents included in unexpected or suspicious-looking messages. Be attentive to web pages – from the right web address to details of interface;
-
Use a reliable security solution that protects digital assets from a wide range of financial cyberthreats;
-
Install only applications obtained from reliable sources;
-
Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set; and
-
Install the latest updates and patches for all software used.
The Grandoreiro analysis and overview will be presented by GReAT at Kaspersky’s 16th Security Analyst Summit, which takes place from October 22-25, 2024, in Bali.
