HQ/EMEAFind out how we can help your business
The Grandoreiro malware has resurfaced through a large-scale phishing operation that targets the clients of about 1,500 banks in over 60 countries.
Reports revealed that the malware resumed large-scale activities earlier this year. Moreover, various threat actors most likely rented the malware via a Malware-as-a-Service (MaaS) model and now target English-speaking countries.
In addition, this malware has undergone a technical overhaul, adding numerous new features and upgrades, showing that its authors have resumed its development. Since multiple threat actors rent the software, the phishing lures are diverse and tailored precisely to the organisations that a single cybercriminal is targeting.
Recent research revealed that the phishing emails from this campaign impersonate official entities in Mexico, Argentina, and South Africa, specifically tax administration organisations, revenue services, and federal electricity commissions.
The phishing operators write the emails in the recipient’s native language, include official logos and forms, and include a call to action, such as clicking links to view bills, account statements, or tax paperwork.
Once recipients click on these emails, it will redirect them to an image of a PDF that downloads a ZIP file containing the Grandoreiro loader.
The Grandoreiro malware acquired new features that were exhibited in the latest campaigns.
According to investigations, the newest version of the Grandoreiro malware includes several new features and major modifications, making it a more elusive and effective threat.
Researchers noticed the new version includes reworked and enhanced string decryption techniques based on AES CBC and a bespoke decoder. Additionally, the domain generation algorithm (DGA) has been updated, and it now has numerous seeds to segregate command and control communications from operator activities.
Also, a new mechanism targets Microsoft Outlook customers by disabling security alarms and using them to distribute phishing messages to new recipients. Another important new feature is Grandoreiro’s ability to start extensive victim profiling and determine whether to execute on the device, giving operators control over their targeting environment.
Furthermore, the latest version of the RAT avoids execution in particular countries such as Russia, Czechia, the Netherlands, and Poland, as well as on Windows 7 workstations in the United States that do not have an AV solution installed.
The continued efforts of the Grandoreiro operators show that cybercriminal threats persist despite the authorities’ efforts to take them down. The clients of the banks in the countries mentioned should be cautious with incoming messages and unsolicited communications to avoid falling victim to this reemerging threat.
