The cybercriminals behind the Windows-based Grandoreiro banking trojan have resurfaced with a global phishing campaign, despite a law enforcement takedown in January 2024 aimed at dismantling the group's operations.
According to IBM's X-Force, these large-scale phishing attacks that have been ongoing since March 2024, are now targeting over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region. Previously, Grandoreiro's campaigns were mostly limited to Latin America, Spain, and Portugal.
The current campaign is likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model. It employs sophisticated phishing tactics, impersonating reputable organizations such as Mexico's Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). The phishing emails are designed to appear legitimate, urging recipients to click on links to view invoices, account statements, or make payments.
Victims are redirected to download a ZIP file containing the Grandoreiro trojan. This file download is disguised as an image of a PDF icon. The campaigns specifically target users within Latin America, using top-level domains such as “.mx” (Mexico), “.co” (Colombia), and “.cl” (Chile).
Grandoreiro's infection chain starts with a custom loader. This loader is notably large—over 100MB—to evade automatic antivirus scanning. It also includes a CAPTCHA pop-up imitating Adobe PDF reader to bypass automated execution.
The loader collects various system details, such as the computer name, username, OS version, installed antivirus solutions, and the victim’s country (determined via IP address).
This information gathering serves two purposes: verifying that the system is not a sandboxed environment and ensuring the victim is in a targeted country. For instance, certain samples of the trojan will not execute if the victim's IP is from Russia, Czechia, Poland, or the Netherlands. Additionally, it avoids infecting Windows 7 machines in the US that lack antivirus protection.
X-Force has observed a surge in attacks extending beyond Latin America to include Spain, Japan, the Netherlands, and Italy.
The latest variant of Grandoreiro has also seen significant updates, particularly in its string decryption and domain generation algorithm (DGA).
“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale,” the researchers noted.