Grandoreiro, a notorious Brazilian banking trojan, has been active since 2016 and has grown into one of the most significant global financial cyberthreats. What began as a localized threat has evolved into a sophisticated and expansive malware operation targeting financial institutions across continents. This article delves into the origins, evolution, and operations of Grandoreiro, while offering practical advice for safeguarding against its relentless attacks.
The Evolution of Grandoreiro: From Brazil to Global Impact
Grandoreiro, part of the Tetrade malware family, first surfaced in Brazil in 2016. Written in Delphi, the trojan enables cybercriminals to perform fraudulent banking operations by hijacking the victim’s computer and bypassing security measures set by financial institutions. Over time, it has evolved from a regional threat in Latin America to a global menace affecting financial entities across the world.
Grandoreiro operates under a Malware-as-a-Service (MaaS) model, allowing cybercrime groups to deploy its various versions for targeted attacks. Although it does not advertise on underground forums like other banking trojans, Grandoreiro is known to be tightly controlled by a limited number of trusted partners who have access to its code.
“INTERPOL and law enforcement agencies across the globe are fighting against Grandoreiro, and Kaspersky is cooperating with them, sharing TTPs and IoCs. However, despite the disruption of some local operators of this trojan in 2021 and 2024, and the arrest of gang members in Spain, Brazil, and Argentina, they’re still active. We now know for sure that only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure.
Every year we observe new Grandoreiro campaigns targeting financial entities, using new tricks in samples with low detection rates by security solutions. The group has evolved over the years, expanding the number of targets in every new campaign we tracked. In 2023, the banking trojan targeted 900 banks in 40 countries — in 2024, the newest versions of the trojan targeted 1,700 banks and 276 crypto wallets in 45 countries and territories, located on all continents of the world. Asia and Africa have finally joined the list of its targets, making it a truly global financial threat. In Spain alone, Grandoreiro has been responsible for fraudulent activities amounting to 3.5 million euros in profits, according to conservative estimates — several failed attempts could have yielded beyond 110 million euros for the criminal organization.” Securelist.
The trojan’s operators have constantly updated their techniques, developing modular components and utilizing advanced evasion methods. In 2020, it expanded from Latin America into Europe, with Spain becoming a primary target. By 2023 and 2024, Grandoreiro had launched widespread campaigns, attacking over 1,700 banks and 276 cryptocurrency wallets in 45 countries, including new regions like Asia and Africa.
How Grandoreiro Works
Grandoreiro typically infects victims through phishing campaigns or malvertising (malicious advertising). The initial infection phase usually starts with a phishing email that contains a malicious link or attachment. For example, victims may receive an email with a fake bill or tax notification prompting them to download a malicious PDF or ZIP file. Once opened, the malware’s loader—often disguised as a legitimate Windows Installer file—downloads and executes the final Grandoreiro payload.
Recent versions of Grandoreiro have also incorporated more sophisticated techniques, such as:
- Domain Generation Algorithms (DGA): Used to communicate with command-and-control (C2) servers, making detection and blocking more challenging.
- Ciphertext Stealing Encryption (CTS): This encryption method helps the malware evade traditional signature-based detection by security solutions.
- Mouse Behavior Tracking: This trick enables the malware to mimic human behavior, such as mouse movements, to bypass anti-fraud systems.
A particularly dangerous feature of Grandoreiro is its ability to remotely control the victim’s machine and perform fraudulent banking transactions while masking itself as legitimate activity. In many cases, it even uses signed digital certificates and large executables to evade detection by inflating file sizes—techniques designed to slip past modern sandbox environments.
Law Enforcement Response and Challenges
Global law enforcement agencies, including INTERPOL, have made notable efforts to combat Grandoreiro. In 2021 and 2024, joint operations between Spanish, Brazilian, and Argentine law enforcement led to the arrests of several key gang members responsible for Grandoreiro operations. Despite these successful actions, the malware continues to pose a global threat. Only part of the gang has been captured, and the remaining operators have since fragmented the malware into lighter, more specialized versions. These variants focus on specific geographic regions, such as Mexico, while continuing to develop new malicious infrastructure.
Grandoreiro’s Impact: Financial and Beyond
In 2023, Grandoreiro’s attacks resulted in estimated financial losses of 3.5 million euros in Spain alone. While this figure is staggering, it pales in comparison to the 110 million euros that could have been lost if several attempted attacks had succeeded. The financial sector remains the primary target, but Grandoreiro has also expanded its scope to include cryptocurrency wallets. The trojan’s operators have adapted to the growing cryptocurrency industry, adding features that monitor clipboard activity and replace copied cryptocurrency wallet addresses with their own, a common technique in crypto-related cybercrime.
Victims and targets
“The Grandoreiro banking trojan is primed to steal the credentials accounts for 1,700 financial institutions, located in 45 countries and territories. After decrypting the strings of the malware, we can see the targeted banks listed separated by countries/territories. This doesn’t mean that Grandoreiro will target a specific bank from the list; it means it is ready to steal credentials and act, if there is a local partner or money mule who can operationalize and complete the action. The banks targeted by Grandoreiro are located in Algeria, Angola, Antigua and Barbuda, Argentina, Australia, Bahamas, Barbados, Belgium, Belize, Brazil, Canada, Cayman Islands, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, Ethiopia, France, Ghana, Haiti, Honduras, India, Ivory Coast, Kenya, Malta, Mexico, Mozambique, New Zealand, Nigeria, Panama, Paraguay, Peru, Philippines, Poland, Portugal, South Africa, Spain, Switzerland, Tanzania, Uganda, United Kingdom, Uruguay, USA, and Venezuela. It’s important to note that the list of targeted banks and institutions tend to slightly change from one version to another.
From January to October 2024, our solutions blocked more than 150,000 infections impacting more than 30,000 users worldwide, a clear sign the group is still very active. According to our telemetry, the countries most affected by Grandoreiro infections are Mexico, Brazil, Spain, and Argentina, among many others.” Securelist.
10 Ways to Avoid Grandoreiro and Similar Threats
- Be Cautious with Emails: Avoid opening attachments or clicking on links from unknown or suspicious sources. Phishing emails are a primary infection vector for Grandoreiro.
- Implement Multi-Factor Authentication (MFA): Strengthen your security by adding MFA to your banking and financial accounts.
- Regularly Update Software: Ensure all operating systems, applications, and antivirus software are up to date with the latest patches and security updates.
- Deploy Endpoint Detection and Response (EDR): EDR solutions can detect and mitigate threats like Grandoreiro in real-time by monitoring suspicious activities.
- Use Strong Passwords and a Password Manager: Weak passwords can be easily compromised. Use complex passwords and manage them securely.
- Monitor Financial Accounts Regularly: Frequently check your bank and cryptocurrency accounts for unusual transactions or activity.
- Disable Macros in Office Files: Grandoreiro and similar malware often exploit Office macros. Disable them unless absolutely necessary.
- Implement Network Segmentation: Separate your network into distinct zones to limit the spread of malware in case of infection.
- Use DNS Filtering Services: These can block access to malicious domains associated with Grandoreiro’s C2 servers.
- Train Employees in Cybersecurity Awareness: Social engineering remains a common entry point for trojans like Grandoreiro. Invest in cybersecurity training programs.
Conclusion
Grandoreiro is an evolving global threat, continuously developing new techniques to evade detection and exploit financial institutions and their customers. Its operators have demonstrated persistence and adaptability, making it a formidable adversary for law enforcement and cybersecurity professionals alike. Protecting against this type of malware requires a comprehensive cybersecurity strategy that includes robust technical solutions and user awareness.
Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!