Man
Professional
- Messages
- 2,956
- Reaction score
- 477
- Points
- 83
According to Kaspersky Lab, four banking Trojan families with Brazilian roots — Guildma, Javali, Melcoz and Grandoreiro — are now actively targeting users in Europe, North and Latin America. Together, these malware threats make up the Tetrade group and use many new methods to evade detection and data collection.
Researchers write that Brazil is known as a major source of banking malware. But if earlier Brazilian attackers hunted mainly for customers of local financial institutions, and only a few hack groups experimented with the introduction of malware abroad, then in 2020 Tetrade malware received the necessary tools for global expansion.
For example, the Guildma Trojan, which appeared in Brazil five years ago, has become active in other South American countries, as well as in the United States, Portugal, and Spain. Banker spreads mainly through phishing emails disguised as business messages or notifications, and is adept at hiding malicious code on the victim's system using a special extension.
Another feature of Guildma is that it receives configuration information about the current addresses of C&C servers through Facebook and YouTube pages. Such traffic is difficult to classify as malicious, since none of these social networks are blocked by security solutions. At the same time, attackers can easily change management servers, complicating detection.
Another banking Trojan, Javali, which has been active since 2017, attacks cryptocurrency owners and bank customers in Mexico. Similar to Guildma, the Javali malware spreads through phishing emails and is now starting to use YouTube to obtain information about C&C servers.
The third malware, Melcoz, has been active since 2018, but has already started attacking users not only in Mexico, but also in Spain and Chile. In addition to stealing financial information, this family also offers other attackers paid remote access to the affected users' computers.
Grandoreiro, the most popular of the four bankers, was initially limited to Latin America, but now includes Europe. Typically, Grandoreiro is distributed through compromised sites and through spear phishing. At the same time, it works on a malware-as-a-service (malware-as-a-service) model. That is, different attackers can acquire access to the necessary Grandoreiro tools to launch their own attack.
"Brazilian threat actors, like those behind these four banking families, are actively recruiting supporters in other countries to increase their malware exports. Moreover, they are constantly improving and inventing new methods of organizing attacks, trying to make them even more profitable. We believe that this malware will start attacking more bank customers in other countries, and it is possible that new banking malware will appear. That's why it's so important for financial institutions to monitor these threats and take security measures", says Dmitry Bestuzhev, head of the Latin American research center GReAT at Kaspersky Lab.
----
Grandoreiro terrorizes Mexican banks.
The Grandoreiro Trojan, active since 2016, continues to be used by the cybergroup's partners, despite the arrests of its key members in early 2024. According to Kaspersky Lab, the new version of this malware is targeting customers of about 30 Mexican banks, making Mexico one of the countries most affected by attacks using Grandoreiro.
Following a joint operation with Interpol in Brazil that led to the arrests, Kaspersky Lab experts found that the attacks were continuing. The malicious code was reworked and split into smaller pieces, indicating that the attackers likely still have access to the program's source materials. This allowed them to launch new campaigns with simplified versions of Grandoreiro.
In addition to simplified versions, the company's specialists also identified new methods used in the original version of the Trojan. The malware records and reproduces mouse actions, mimicking the user's real behavior, which allows it to bypass protection systems that analyze behavioral anomalies. This method makes the program difficult to detect. Grandoreiro also uses the Ciphertext Stealing (CTS) cryptographic technique, which encrypts lines of code and makes it much more difficult to detect. Previously, such a technique has not been found in such malware.
Grandoreiro attacks continue to be a serious global threat. In 2024, about 5% of all banking Trojan attacks were associated with this malware, with a significant part of the incidents recorded in Mexico, where more than 51 thousand users were affected. In total, this year, various versions of Grandoreiro are aimed at customers of more than 1700 financial institutions and 276 cryptocurrency wallets in 45 countries.
Source
Researchers write that Brazil is known as a major source of banking malware. But if earlier Brazilian attackers hunted mainly for customers of local financial institutions, and only a few hack groups experimented with the introduction of malware abroad, then in 2020 Tetrade malware received the necessary tools for global expansion.
For example, the Guildma Trojan, which appeared in Brazil five years ago, has become active in other South American countries, as well as in the United States, Portugal, and Spain. Banker spreads mainly through phishing emails disguised as business messages or notifications, and is adept at hiding malicious code on the victim's system using a special extension.
Another feature of Guildma is that it receives configuration information about the current addresses of C&C servers through Facebook and YouTube pages. Such traffic is difficult to classify as malicious, since none of these social networks are blocked by security solutions. At the same time, attackers can easily change management servers, complicating detection.
Another banking Trojan, Javali, which has been active since 2017, attacks cryptocurrency owners and bank customers in Mexico. Similar to Guildma, the Javali malware spreads through phishing emails and is now starting to use YouTube to obtain information about C&C servers.
The third malware, Melcoz, has been active since 2018, but has already started attacking users not only in Mexico, but also in Spain and Chile. In addition to stealing financial information, this family also offers other attackers paid remote access to the affected users' computers.
Grandoreiro, the most popular of the four bankers, was initially limited to Latin America, but now includes Europe. Typically, Grandoreiro is distributed through compromised sites and through spear phishing. At the same time, it works on a malware-as-a-service (malware-as-a-service) model. That is, different attackers can acquire access to the necessary Grandoreiro tools to launch their own attack.
"Brazilian threat actors, like those behind these four banking families, are actively recruiting supporters in other countries to increase their malware exports. Moreover, they are constantly improving and inventing new methods of organizing attacks, trying to make them even more profitable. We believe that this malware will start attacking more bank customers in other countries, and it is possible that new banking malware will appear. That's why it's so important for financial institutions to monitor these threats and take security measures", says Dmitry Bestuzhev, head of the Latin American research center GReAT at Kaspersky Lab.
----
Grandoreiro terrorizes Mexican banks.
The Grandoreiro Trojan, active since 2016, continues to be used by the cybergroup's partners, despite the arrests of its key members in early 2024. According to Kaspersky Lab, the new version of this malware is targeting customers of about 30 Mexican banks, making Mexico one of the countries most affected by attacks using Grandoreiro.
Following a joint operation with Interpol in Brazil that led to the arrests, Kaspersky Lab experts found that the attacks were continuing. The malicious code was reworked and split into smaller pieces, indicating that the attackers likely still have access to the program's source materials. This allowed them to launch new campaigns with simplified versions of Grandoreiro.
In addition to simplified versions, the company's specialists also identified new methods used in the original version of the Trojan. The malware records and reproduces mouse actions, mimicking the user's real behavior, which allows it to bypass protection systems that analyze behavioral anomalies. This method makes the program difficult to detect. Grandoreiro also uses the Ciphertext Stealing (CTS) cryptographic technique, which encrypts lines of code and makes it much more difficult to detect. Previously, such a technique has not been found in such malware.
Grandoreiro attacks continue to be a serious global threat. In 2024, about 5% of all banking Trojan attacks were associated with this malware, with a significant part of the incidents recorded in Mexico, where more than 51 thousand users were affected. In total, this year, various versions of Grandoreiro are aimed at customers of more than 1700 financial institutions and 276 cryptocurrency wallets in 45 countries.
Source
