January 30, 2024 at 12:30PM
Brazilian law enforcement arrested several operators of the Grandoreiro malware in a recent operation. Slovak cybersecurity firm ESET assisted in uncovering a design flaw in Grandoreiro’s network protocol. The banking trojan targets Latin American countries and has the ability to steal data and control infected devices remotely. The operation aimed to disrupt the Grandoreiro operation hierarchy.
Key takeaways from the meeting notes:
– Brazilian law enforcement operation resulted in arrests of operators of the Grandoreiro malware.
– ESET uncovered a design flaw in Grandoreiro’s network protocol, aiding in identifying victimology patterns.
– Grandoreiro is a Latin American banking trojan targeting countries like Spain, Mexico, Brazil, and Argentina since 2017.
– Proofpoint revealed details of a phishing campaign distributing an updated version of Grandoreiro to targets in Mexico and Spain in late October 2023.
– Grandoreiro has the capability to steal data through keyloggers and screenshots and siphon bank login information from overlays.
– The malware’s attack chains typically use phishing lures with decoy documents or malicious URLs to deploy malware for remote control.
– Grandoreiro employs a domain generation algorithm (DGA) since around October 2020 to dynamically identify a destination domain for C&C traffic.
– The threat actors behind Grandoreiro primarily use IP addresses provided by Amazon Web Services (AWS) and Microsoft Azure for C&C traffic.
– 551 unique victims in a day on average are connected to the C&C server, mainly in Brazil, Mexico, and Spain. Around 114 new unique victims connect to the C&C servers each day.
– The disruption operation targeted individuals believed to be high up in the Grandoreiro operation hierarchy.