A Brazilian legislation enforcement operation has led to the arrest of a number of Brazilian operators in control of the Grandoreiro malware.
The Federal Police of Brazil stated it served 5 momentary arrest warrants and 13 search and seizure warrants within the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.
Slovak cybersecurity agency ESET, which supplied extra help within the effort, stated it uncovered a design flaw in Grandoreiro’s community protocol that helped it to determine the victimology patterns.
Grandoreiro is without doubt one of the many Latin American banking trojans comparable to Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily focusing on international locations like Spain, Mexico, Brazil, and Argentina. It is identified to be lively since 2017.
In late October 2023, Proofpoint revealed particulars of a phishing marketing campaign that distributed an up to date model of the malware to targets in Mexico and Spain.
The banking trojan has capabilities to each steal information by means of keyloggers and screenshots in addition to siphon financial institution login info from overlays when an contaminated sufferer visits pre-determined banking websites focused by the menace actors. It could actually additionally show pretend pop-up home windows and block the sufferer’s display.
Assault chains usually leverage phishing lures bearing decoy paperwork or malicious URLs that, when opened or clicked, result in the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a guide style.
“Grandoreiro periodically screens the foreground window to search out one which belongs to an internet browser course of,” ESET stated.
“When such a window is discovered and its identify matches any string from a hardcoded checklist of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests a minimum of as soon as a second till terminated.”
The menace actors behind the malware are additionally identified to make use of a site technology algorithm (DGA) since round October 2020 to dynamically determine a vacation spot area for C&C site visitors, making it more durable to dam, observe, or take over the infrastructure.
A majority of the IP addresses these domains resolve to are supplied primarily by Amazon Internet Providers (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging anyplace between 1 day to 425 days. On common, there are 13 lively and three new C&C IP addresses per day, respectively.
ESET additionally stated that Grandoreiro’s flawed implementation of its RealThinClient (RTC) community protocol for C&C made it doable to get details about the variety of victims which might be related to the C&C server, which is 551 distinctive victims in a day on common primarily unfold throughout Brazil, Mexico, and Spain.
Additional investigation has discovered that a mean variety of 114 new distinctive victims connect with the C&C servers every day.
“The disruption operation led by the Federal Police of Brazil geared toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy,” ESET stated.
