Brazilian FBI dismantles Grandoreiro banking Trojan, arrests senior operators

ReportJanuary 30, 2024Editorial DepartmentCybercrime/Malware

Brazilian law enforcement operations arrested several Brazilian operators responsible for the company. Grandorero Malware.

Brazil’s federal police said it had issued five provisional arrest warrants and 13 search and seizure warrants in the states of Sao Paulo, Santa Catarina, Pará, Goiás and Mato Grosso.

Slovak cybersecurity firm ESET, which provided additional help in the effort, said it discovered a design flaw in the Grandoreiro network protocol that helped it identify victim patterns.

Grandoreiro is one of many Latin American banking Trojans, including Javali, Melcoz, Casabeniero, Mekotio and Vadokrist, which mainly targets countries such as Spain, Mexico, Brazil and Argentina. It is understood to have been active since 2017.

In late October 2023, Proofpoint disclosed details of a phishing campaign that distributed updated versions of the malware to targets in Mexico and Spain.

The banking Trojan can both steal data via keyloggers and screenshots, as well as steal bank login information from an overlay when an infected victim visits a bank website pre-identified by the threat actor. It can also display fake pop-ups and block the victim’s screen.

攻擊鏈通常利用帶有誘餌文件或惡意URL 的網路釣魚誘餌，打開或按一下這些誘餌時，會導致部署惡意軟體，然後與命令和控制(C&C) 伺服器建立聯繫，以手動方式遠端控制computer.

“Grandoreiro periodically monitors the foreground window looking for windows belonging to the web browser process,” ESET said.

“When such a window is found and its name matches any string in the hard-coded list of bank-related strings, the malware initiates communication with its C&C server, sending at least one request per second until terminated.”

It is understood that the threat actors behind the malware began to use domain generation algorithms (DGA) around October 2020 to dynamically identify the target domain of C&C traffic, making it more difficult to block, track, or take over the infrastructure.

Most of the IP addresses resolved by these domains are primarily provided by Amazon Web Services (AWS) and Microsoft Azure, and the lifecycle of C&C IP addresses ranges from 1 day to 425 days. There are an average of 13 active C&C IP addresses and 3 new C&C IP addresses per day.

ESET also stated that a flaw in Grandoreiro’s RealThinClient (RTC) network protocol implementation for C&C made it possible to obtain information on the number of victims connected to the C&C server. There were an average of 551 victims per day, mainly distributed across Brazil, Mexico and Spain.

Further investigation revealed that an average of 114 new unique victims were connecting to the C&C server every day.

“The sabotage operation led by Brazil’s federal police targeted individuals believed to be at the top of Operation Grandoreiro,” ESET said.