When I want to know about banking and finance I come to Refi Review - Reader
January 30, 2024

Police foil Grandoreiro banking malware op, nab suspects.

Tens of thousands of computers worldwide have been infected by Grandoreiro malware; the Federal Police of Brazil recently arrested five individuals in relation to the malware. The arrests were the result of a joint operation conducted by ESET, Interpol, the National Police in Spain, and Caixa Bank. The malware has been active since 2017 and has primarily targeted Spanish-speaking countries, with most victims located in Spain, Mexico, and Brazil.

The Grandoreiro malware primarily functions as a Windows banking trojan. It is designed to monitor web browser processes related to banking activities and initiate communication with its command and control servers. Attackers must manually interact with the malware to conduct financial theft. The malware can serve victims fake pop-up windows, simulate mouse and keyboard input, send live feed of the victim’s screen, block local viewing, and log keystrokes. Developers of the malware have released frequent updates to add new features and enhance its capabilities.

ESET, the cybersecurity firm involved in the operation, was able to track Grandoreiro’s servers despite the use of a Domain Generation Algorithm (DGA) by the malware. By analyzing the DGA mechanism, researchers at ESET were able to predict future domains generated by the malware. This allowed them to gain insights into the operation’s victimology and volume. Most victims were found to be located in Spain, followed by Mexico and Brazil.

It is unclear if the individuals arrested in Brazil held a leading role in the malware operation or if there is a risk of Grandoreiro returning in the future. The disruption caused by the arrests has brought the malware operations to a complete halt for now. The operation serves as a reminder of the ongoing threat of banking malware and the need for cybersecurity measures to protect against such attacks.