Brazil, Mexico and Argentina are among the countries most affected by the Grandoreiro malware, a banking Trojan that aims to trick people into stealing their money and does so via email, reported cybersecurity firm Kaspersky.
Grandoreiro is a banking Trojan of Brazilian origin that, according to Kaspersky data, has been active since at least 2016. According to estimates, cybercriminals are believed to have stolen more than €3.5 million from their victims.
How does Grandoreiro malware operate?
Attacks carried out through this malware usually start with a spear-phishing email written in Spanish, Portuguese or English.
Spear-phishing attacks are personalized and targeted at specific individuals or companies. They are usually carried out via emails that appear legitimate to the recipient and motivate them to share sensitive data such as login credentials or financial information, according to Kaspersky.
Once installed on the victim's device, the Trojan can perform the following actions:
- Tracks keystrokes
- Simulates mouse activity
- Screen sharing
- Collects data such as usernames, operating system information, device runtime and bank identifiers
- When the attackers gain full control of the victims‘ bank accounts they empty them, sending the funds through a network of money mules to launder the illicit proceeds.
The Trojan has many versions, which could indicate that different operators are involved in the development of this malware. According to Kaspersky experts, Grandoreiro targets more than 900 financial institutions in more than 40 countries in Europe, North America and Latin America.
Spain, Brazil, Mexico, Portugal, Argentina and the United States were the most affected countries.
Experts are alert for Grandoreiro
Grandoreiro is a concern for different cybersecurity groups. In January of this year, ESET said that it was collaborating with the Brazilian Police to dismantle the malware.
“ESET has collaborated with the Brazilian Federal Police in dismantling the Grandoreiro botnet, providing technical analysis, statistical information and domain names and IP addresses of known command and control (C&C) servers.”.
In addition, the computer security experts said that, as of the first month of 2024, they collaborated to provide crucial data to identify the accounts responsible for setting up the malware servers.
