A Brazilian legislation enforcement operation has led to the arrest of a number of Brazilian operators in command of the Grandoreiro malware.
The Federal Police of Brazil mentioned it served 5 momentary arrest warrants and 13 search and seizure warrants within the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.
Slovak cybersecurity agency ESET, which supplied further help within the effort, mentioned it uncovered a design flaw in Grandoreiro’s community protocol that helped it to determine the victimology patterns.
Grandoreiro is among the many Latin American banking trojans similar to Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily focusing on international locations like Spain, Mexico, Brazil, and Argentina. It is identified to be energetic since 2017.
In late October 2023, Proofpoint revealed particulars of a phishing marketing campaign that distributed an up to date model of the malware to targets in Mexico and Spain.
The banking trojan has capabilities to each steal information via keyloggers and screenshots in addition to siphon financial institution login info from overlays when an contaminated sufferer visits pre-determined banking websites focused by the menace actors. It could possibly additionally show pretend pop-up home windows and block the sufferer’s display screen.
Assault chains sometimes leverage phishing lures bearing decoy paperwork or malicious URLs that, when opened or clicked, result in the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a handbook vogue.
“Grandoreiro periodically displays the foreground window to seek out one which belongs to an online browser course of,” ESET mentioned.
“When such a window is discovered and its identify matches any string from a hardcoded listing of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests at the very least as soon as a second till terminated.”
The menace actors behind the malware are additionally identified to make use of a website technology algorithm (DGA) since round October 2020 to dynamically determine a vacation spot area for C&C visitors, making it tougher to dam, observe, or take over the infrastructure.
A majority of the IP addresses these domains resolve to are supplied primarily by Amazon Net Providers (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging wherever between 1 day to 425 days. On common, there are 13 energetic and three new C&C IP addresses per day, respectively.
ESET additionally mentioned that Grandoreiro’s flawed implementation of its RealThinClient (RTC) community protocol for C&C made it doable to get details about the variety of victims which can be related to the C&C server, which is 551 distinctive victims in a day on common primarily unfold throughout Brazil, Mexico, and Spain.
Additional investigation has discovered that a median variety of 114 new distinctive victims connect with the C&C servers every day.
“The disruption operation led by the Federal Police of Brazil geared toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy,” ESET mentioned.
