Grandoreiro, an advanced banking trojan, has resurfaced in a new “light” version that targets financial institutions in Mexico, defying recent arrests and adopting novel detection-evading tactics. Despite global efforts, Grandoreiro remains one of the most active banking threats, affecting over 1,700 banks worldwide.
29 October 2024 – Amid ongoing efforts to curb the spread of banking trojans, the notorious Grandoreiro malware continues to evolve, with its operators deploying a streamlined, “light” version to target new regions, particularly Mexico. According to Kaspersky’s Global Research and Analysis Team (GReAT), this new iteration is active in campaigns aimed at approximately 30 Mexican financial institutions, with findings scheduled for presentation at the Security Analyst Summit (SAS) 2024 in Bali.
Despite recent arrests of key Grandoreiro operatives in Brazil as part of an INTERPOL-coordinated operation, the malware has adapted its attack strategy. Kaspersky’s researchers report that the trojan’s codebase has been fragmented into smaller, lighter versions, allowing affiliated cybercriminals to continue operations without the need for the full, original malware package. Unlike traditional “Malware-as-a-Service” models, Grandoreiro’s access remains limited, believed to be granted only to a select group of trusted affiliates.
“Grandoreiro’s evolution into fragmented, lighter versions signals a trend that could expand beyond Latin America,” explained Fabio Assolini, Head of Latin America for GReAT. Assolini noted that only a few affiliates likely have access to Grandoreiro’s source code, enabling them to customize this malware for targeted attacks while avoiding underground markets.
Kaspersky’s latest analysis reveals that Grandoreiro’s activity accounted for about five percent of global banking trojan incidents in 2024, making it one of the most pervasive threats of the year. The new malware variants incorporate advanced tactics to bypass detection, including mimicking user behavior by recording and replaying mouse movements and encrypting code strings through a technique called Ciphertext Stealing (CTS)—a cryptographic method not previously seen in malicious software. This encryption obfuscates the malware’s structure, complicating detection efforts by security analysts.
Grandoreiro, first identified in 2016, now poses a global threat, targeting over 1,700 banks and 276 cryptocurrency wallets across 45 countries. It has recently expanded into Asia and Africa, indicating a strategic shift into new regions. The full analysis will be detailed at SAS 2024, underscoring the pressing need for global vigilance against evolving cyber threats.
