May 18, 2024 at 06:20PM
The Android banking trojan “Grandoreiro” is a persistent threat, despite a recent law enforcement crackdown. It’s now targeting English-speaking countries and using diverse phishing lures, including government impersonation emails. The latest variant features advanced evasive tactics, expanded targeting, and detailed victim profiling. IBM analysts have noted its ability to avoid execution in specific countries.
Summary of Meeting Notes:
– The Android banking trojan “Grandoreiro” has been spreading in a large-scale phishing campaign across 60 countries, targeting 1,500 banks’ customer accounts.
– An international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank disrupted the malware operation responsible for $120 million in losses.
– Despite the crackdown, the Grandoreiro trojan has returned to large-scale operations, now targeting English-speaking countries as well.
– Multiple threat actors rent the malware, resulting in diverse phishing lures tailored to specific organizations and countries.
– Phishing emails impersonate government entities in Mexico, Argentina, and South Africa, using native languages, official logos, and formats to lure recipients to click on links that trigger the download of the Grandoreiro loader.
– The latest variant of the Grandoreiro trojan features various updates and new capabilities, including improved string decryption, updates on the domain generation algorithm, the ability to target Microsoft Outlook clients, a new persistence mechanism, expanded bank application and cryptocurrency wallet targeting, and an expanded command set that includes remote control, file upload/download, keylogging, and browser manipulation via JavaScript.
– The latest version of the trojan avoids execution in certain countries and on specific systems, indicating its resilience and continued threat despite law enforcement actions.