Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns
Since March 2024, IBM X-Force has been monitoring large-scale phishing campaigns distributing the Grandoreiro banking trojan, which operates as a Malware-as-a-Service (MaaS). The malware has been updated to improve its string decryption and domain generation algorithm (DGA), and it can now use Microsoft Outlook on infected hosts to send phishing emails. Grandoreiro targets over 1500 global banks in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific. Previously focused on Latin America, Spain, and Portugal, recent campaigns have impersonated government entities in Mexico, Argentina, and South Africa. The trojan's infection chain starts with a custom loader that verifies the legitimacy of the victim, collects basic data, and downloads the banking trojan. It uses a complex string decryption process and communicates with command and control (C2) servers using encrypted messages. Grandoreiro can execute a wide range of commands for remote control, malware control, and data harvesting. It also has a feature to harvest email addresses from Outlook and use the victim's account to send spam emails. The expansion of Grandoreiro's campaigns and updates to the malware suggest a strategic shift following law enforcement actions against its operators. Organizations are advised to exercise caution with suspicious emails and PDFs, monitor network traffic for signs of infection, block pre-calculated DGA domains, monitor registry keys used for persistence, install endpoint security software, update network security rules, and educate staff on potential threats. Indicators of Compromise (IOCs) are provided for organizations to detect and respond to Grandoreiro infections. Malware: Grandoreiro [View Article](https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/)