IBM X-Force Report: Grandoreiro Malware Attacks Over 1,500 Banks Across 60 Countries

IBM X-Force Report: Grandoreiro Malware Attacks Over 1,500 Banks Across 60 Countries

IBM X-Force has released a new report highlighting the evolution of the Grandoreiro malware, a banking trojan that can now target over 1,500 global banks across 60 countries with enhanced features. Originally focused on Spanish-speaking countries, recent campaigns have expanded to Europe, Asia, and Africa. The malware has the ability to send phishing emails directly from the victim’s Microsoft Outlook client to local email addresses.

Grandoreiro, first identified by Interpol in 2017, allows cybercriminals to control infected devices, log keystrokes, manage windows and processes, and perform various other malicious activities in addition to its banking trojan capabilities. Multiple operators have been involved in Grandoreiro attacks, using a Malware-as-a-Service business model. Recent arrests of cybercriminals linked to Grandoreiro have taken place in Spain and Brazil, but the threat remains active.

Phishing campaigns targeting specific countries have been observed, with emails impersonating entities like tax services to lure users into clicking malicious links. Once a user clicks on the link, a loader collects data from the victim’s computer and sends it to a command and control server. If conditions are met, the Grandoreiro trojan is downloaded and executed, targeting specific banking applications and cryptocurrency wallets.

Recent updates to Grandoreiro include a new domain generation algorithm (DGA) for C2 server references, allowing for separation of tasks among multiple operators. The malware now abuses local Microsoft Outlook software to collect email addresses and send phishing emails, avoiding detection by deleting sent emails from the victim’s mailbox.

To protect against Grandoreiro, network analysis should be conducted to detect potential infections, and endpoint security software should be deployed on all devices. Monitoring Windows registry keys, blocking pre-calculated DGA domains, educating users about phishing emails, and keeping systems updated are recommended preventive measures.

In conclusion, the Grandoreiro malware threat continues to evolve and expand its reach globally, posing a significant risk to users and financial institutions. Vigilance and proactive security measures are essential to combatting this persistent threat.

Article Source
https://www.techrepublic.com/article/ibm-xforce-grandoreiro-banking-trojan-malware/