Man
Professional
- Messages
- 2,956
- Reaction score
- 477
- Points
- 83
Kaspersky Lab: Trojan has learned to imitate a human.
The Grandoreiro Trojan, active since 2016, continues to be used by the cybergroup's partners, despite the arrests of its key members in early 2024. According to Kaspersky Lab, the new version of this malware is targeting customers of about 30 Mexican banks, making Mexico one of the countries most affected by attacks using Grandoreiro.
Following a joint operation with Interpol in Brazil that led to the arrests, Kaspersky Lab experts found that the attacks were continuing. The malicious code was reworked and split into smaller pieces, indicating that the attackers likely still have access to the program's source materials. This allowed them to launch new campaigns with simplified versions of Grandoreiro.
In addition to simplified versions, the company's specialists also identified new methods used in the original version of the Trojan. The malware records and reproduces mouse actions, mimicking the user's real behavior, which allows it to bypass protection systems that analyze behavioral anomalies. This method makes the program difficult to detect. Grandoreiro also uses the Ciphertext Stealing (CTS) cryptographic technique, which encrypts lines of code and makes it much more difficult to detect. Previously, such a technique has not been found in such malware.
Grandoreiro attacks continue to be a serious global threat. In 2024, about 5% of all banking Trojan attacks were associated with this malware, with a significant part of the incidents recorded in Mexico, where more than 51 thousand users were affected. In total, this year, various versions of Grandoreiro are aimed at customers of more than 1700 financial institutions and 276 cryptocurrency wallets in 45 countries.
Source
The Grandoreiro Trojan, active since 2016, continues to be used by the cybergroup's partners, despite the arrests of its key members in early 2024. According to Kaspersky Lab, the new version of this malware is targeting customers of about 30 Mexican banks, making Mexico one of the countries most affected by attacks using Grandoreiro.
Following a joint operation with Interpol in Brazil that led to the arrests, Kaspersky Lab experts found that the attacks were continuing. The malicious code was reworked and split into smaller pieces, indicating that the attackers likely still have access to the program's source materials. This allowed them to launch new campaigns with simplified versions of Grandoreiro.
In addition to simplified versions, the company's specialists also identified new methods used in the original version of the Trojan. The malware records and reproduces mouse actions, mimicking the user's real behavior, which allows it to bypass protection systems that analyze behavioral anomalies. This method makes the program difficult to detect. Grandoreiro also uses the Ciphertext Stealing (CTS) cryptographic technique, which encrypts lines of code and makes it much more difficult to detect. Previously, such a technique has not been found in such malware.
Grandoreiro attacks continue to be a serious global threat. In 2024, about 5% of all banking Trojan attacks were associated with this malware, with a significant part of the incidents recorded in Mexico, where more than 51 thousand users were affected. In total, this year, various versions of Grandoreiro are aimed at customers of more than 1700 financial institutions and 276 cryptocurrency wallets in 45 countries.
Source
