Thanks to the company's efforts, the banking Trojan stopped terrorizing Latin American banks.
During a joint operation between ESET and the Brazilian Federal Police, actions were taken to stop the activities of the Grandoreiro botnet, as a result of which victims suffered $3.9 million.
According to the police, 5 temporary arrest warrants and 13 search and seizure warrants were executed in the states of Sao Paulo, Santa Catarina, Para, Goias and Mato Grosso in Brazil. The investigation began after information from one of the gang's victims, Spanish bank Caixa Bank, which identified the malware's developers and operators in Brazil.
In the latest Grandoreiro attack, hackers sent phishing emails disguised as subpoenas or invoices to gain access to victims ' devices. The Grandoreiro malware allows you to block the victim's screen, register keystrokes, simulate mouse and keyboard actions, broadcast the victim's screen, and display fake pop-ups.
ESET provided technical analysis, statistics, and information about domain names and IP addresses of Command and Control (C2) servers. Due to the identified flaw in the Grandoreiro network protocol, ESET researchers were able to obtain information about the victims of the attack.
ESET systems processed tens of thousands of Grandoreiro samples. The Domain Generation Algorithm (DGA), which has been used since October 2020, creates one primary and several backup domains per day. Grandoreiro operators used Azure and AWS cloud services to host their network infrastructure. ESET researchers provided data that made it possible to identify the accounts used to set up servers, which eventually led to the arrest of those who manage the servers.
Grandoreiro has been around since 2017, targeting the banking systems of Latin America, including Brazil, Mexico, and Spain since 2019. Since 2023, there has been a shift in the focus of attacks on Mexico and Argentina.
In February 2022, Grandoreiro operators added a version ID to their programs. For example, from February to June 2022, a new version was released on average every 4 days. Research has shown that Grandoreiro does not operate under the MaaS (Malware-as-a-Service) malware-as-a-Service model, but rather is managed by one or more closely cooperating groups.
ESET researchers found that Grandoreiro's C2 servers reveal information about victims. Data obtained from the servers shows that most of the victims used Windows operating systems, with the largest number of attacks occurring in Brazil, Mexico and Spain.
Through long-term tracking and analysis of Grandoreiro's activities, ESET was able to make a significant contribution to the operation to stop it. The company continues to closely monitor the activity of other banking Trojans targeting Latin America, as well as the possible resumption of Grandoreiro's activities after a law enforcement operation.
During a joint operation between ESET and the Brazilian Federal Police, actions were taken to stop the activities of the Grandoreiro botnet, as a result of which victims suffered $3.9 million.
According to the police, 5 temporary arrest warrants and 13 search and seizure warrants were executed in the states of Sao Paulo, Santa Catarina, Para, Goias and Mato Grosso in Brazil. The investigation began after information from one of the gang's victims, Spanish bank Caixa Bank, which identified the malware's developers and operators in Brazil.
In the latest Grandoreiro attack, hackers sent phishing emails disguised as subpoenas or invoices to gain access to victims ' devices. The Grandoreiro malware allows you to block the victim's screen, register keystrokes, simulate mouse and keyboard actions, broadcast the victim's screen, and display fake pop-ups.
ESET provided technical analysis, statistics, and information about domain names and IP addresses of Command and Control (C2) servers. Due to the identified flaw in the Grandoreiro network protocol, ESET researchers were able to obtain information about the victims of the attack.
ESET systems processed tens of thousands of Grandoreiro samples. The Domain Generation Algorithm (DGA), which has been used since October 2020, creates one primary and several backup domains per day. Grandoreiro operators used Azure and AWS cloud services to host their network infrastructure. ESET researchers provided data that made it possible to identify the accounts used to set up servers, which eventually led to the arrest of those who manage the servers.
Grandoreiro has been around since 2017, targeting the banking systems of Latin America, including Brazil, Mexico, and Spain since 2019. Since 2023, there has been a shift in the focus of attacks on Mexico and Argentina.
In February 2022, Grandoreiro operators added a version ID to their programs. For example, from February to June 2022, a new version was released on average every 4 days. Research has shown that Grandoreiro does not operate under the MaaS (Malware-as-a-Service) malware-as-a-Service model, but rather is managed by one or more closely cooperating groups.
ESET researchers found that Grandoreiro's C2 servers reveal information about victims. Data obtained from the servers shows that most of the victims used Windows operating systems, with the largest number of attacks occurring in Brazil, Mexico and Spain.
Through long-term tracking and analysis of Grandoreiro's activities, ESET was able to make a significant contribution to the operation to stop it. The company continues to closely monitor the activity of other banking Trojans targeting Latin America, as well as the possible resumption of Grandoreiro's activities after a law enforcement operation.
