This wide-ranging trojan has returned from the dead — Grandoreiro malware revives following police action

Two months after “dying”, Grandoreiro is back

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Grandoreiro, the banking trojan that was dismantled in January 2024, is back with a vengeance, according to a new report from IBM’s cybersecurityarm, X-Force, which claims the trojan has been updated, and is now targeting a much wider area.

In late January 2024, the Federal Police of Brazil, together with Interpol, the Spanish National Police, ESET, and Caixa Bank, dismantled the trojan operation, arrested five people, and made 13 search and seizure operations across Brazil.

At the time, it was said that Grandoreiro existed for seven years and primarily targeted Spanish-speaking nations.

Updates to the malware

Now, IBM’s X-Force said it spotted a new campaign, which started in March this year. For now, the goal is simply to deploy the trojan to as many victims as possible, and to that end, the attackers use a malware-as-a-service model. More than 1,500 banks around the world are targeted, located in 60 countries around the world (Central and South America, Africa, Europe, and the Indo-Pacific region).

It is also worth mentioning that the malware actively avoids endpoints in countries such as Russia, Czechia, Poland, and the Netherlands, and that it doesn’t run onWindows 7devices located in the US, sporting no antivirus programs.

Besides attacking more people, Gradoreiro was also updated.

“Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to useMicrosoftOutlook clients on infected hosts to spread further phishing emails,” the researchers explained.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“In order to interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to develop Outlook add-ins,” the researchers said. “The main reason behind this is that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.”

As usual, the best way to defend against these attacks is to be vigilant with all incoming email messages.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!