Brazilian law enforcement has arrested several operators responsible for the Grandoreiro malware. The Federal Police of Brazil conducted a raid in multiple states, serving arrest warrants and search and seizure warrants. Slovak cybersecurity firm ESET assisted in the operation by identifying a design flaw in the malware’s network protocol. Grandoreiro is a Latin American banking trojan that has been active since 2017 and primarily targets countries such as Spain, Mexico, Brazil, and Argentina. In October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware in Mexico and Spain.
Grandoreiro has the ability to steal data through keyloggers and screenshots, as well as siphon bank login information from overlays on targeted banking sites. It can also display fake pop-up windows and block the victim’s screen. Phishing lures and malicious URLs are used to deploy the malware, which establishes contact with a command-and-control (C&C) server for remote control. The malware monitors web browser processes and initiates communication with the C&C server when a bank-related window is found. The threat actors behind Grandoreiro use a domain generation algorithm (DGA) to dynamically identify C&C traffic destinations, making it harder to block or track.
ESET found that Grandoreiro’s flawed implementation of its RealThinClient (RTC) network protocol allowed them to gather information about the number of connected victims. On average, there are 551 unique victims connected to the C&C server each day, with 114 new unique victims connecting daily. The operation by the Federal Police of Brazil targeted individuals believed to hold high positions in the Grandoreiro operation hierarchy.
Source link