Brazilian FBI dismantles Grandoreiro banking trojan and arrests top officials

Grandoreiro Banking Trojan

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators responsible for the Grandoreiro malware.

The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás and Mato Grosso.

Slovak cybersecurity company ESET, which provided additional assistance in this effort, said it exposed a design flaw in Grandoreiro’s network protocol, allowing it to identify the victim patterns.

Grandoreiro is one of many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio and Vadokrist, which mainly target countries such as Spain, Mexico, Brazil and Argentina. It is known to be active since 2017.

In late October 2023, Proofpoint revealed details of a phishing campaign that saw an updated version of the malware distributed to targets in Mexico and Spain.

The banking trojan has the ability to both steal data via keyloggers and screenshots and siphon bank credentials from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. It can also display fake pop-up windows and block the victim’s screen.

Attack chains typically use phishing lures using decoy documents or malicious URLs that, when opened or clicked, trigger the deployment of malware, which then contacts a command-and-control (C&C) server to manually compromise the machine. remote control.

“Grandoreiro periodically checks the foreground window to find one that belongs to a web browser process,” says ESET said.

Grandoreiro Banking Trojan

“When such a window is found and its name matches a random string from a hardcoded list of banking-related strings, then and only then does the malware initiate communication with its C&C server, sending requests at least once per second until it is terminated.”

The threat actors behind the malware are also known to use a domain generation algorithm (DGA) since approximately October 2020 to dynamically identify a destination domain for C&C traffic, making it more difficult to block, track, or take over the infrastructure.

The majority of IP addresses targeted by these domains are primarily provided by Amazon Web Services (AWS) and Microsoft Azure, with the lifespan of C&C IP addresses ranging from 1 day to 425 days. On average, there are 13 active and three new C&C IP addresses per day, respectively.

ESET also said that Grandoreiro’s flawed implementation of its RealThinClient (RTC) network protocol for C&C allowed it to gain information on the number of victims connected to the C&C server, identifying an average of 551 unique victims per day that are mainly distributed about the C&C server. Brazil, Mexico and Spain.

Further research has shown that an average of 114 new unique victims connect to the C&C servers every day.

“The disruption operation led by Brazil’s Federal Police targeted individuals believed to be high in the hierarchy of the Grandoreiro operation,” ESET said.

#Brazilian #FBI #dismantles #Grandoreiro #banking #trojan #arrests #top #officials

Notify of
Inline Feedbacks
View all comments
Previous Post

URGENT: Upgrade GitLab – Critical error creating workspace allows file overwriting

Next Post
Linux Hacking

New Glibc flaw gives attackers root access on major Linux distributions

Related Posts