IBM X-Force identified a resurgence of Grandoreiro banking trojans since March 2024, as this Malware-as-a-Service (MaaS) now employs enhanced string decryption and domain generation techniques.
It can also leverage infected Microsoft Outlook clients to propagate phishing emails, and the upgraded malware targets over 1500 banks globally, enabling fraud attempts across 60 countries.
While historically focused on Latin America, recent campaigns impersonate government entities in Mexico, Argentina, and even South Africa, suggesting a strategic shift in post-law enforcement actions, which indicates Grandoreiro operators are expanding their reach through global phishing campaigns.
Grandoreiro, a MaaS banking trojan, is back in a global phishing campaign targeting over 1500 financial institutions across 60 countries, which leverages impersonated government entities to trick victims.
The updated variant boasts improved string decryption and a reworked Domain Generating Algorithm (DGA) for dynamic C2 communication, allowing for at least 12 unique C2 domains daily.
To expand its reach, Grandoreiro can steal email addresses from infected machines and abuse Microsoft Outlook to launch secondary phishing attacks.
It employs a complex string decryption process to evade detection, as over 10,000 encrypted strings are spread across its functionalities. The decryption involves multiple stages: first, it uses a key derived from the hardcoded “A” key and the Grandoreiro key to decode the encrypted string.
Then, it utilizes AES ECB mode with a scrambled Grandoreiro key for decryption, and finally, another decoding step and the original Grandoreiro key with a specific algorithm recover the original string.
Grandoreiro, a banking trojan, uses a complex Domain Generation Algorithm (DGA) to create multiple C2 server addresses, which makes it difficult to block malicious traffic as new domains are generated daily.
The DGA utilizes a combination of factors, including the current date, multiple seeds, and custom character replacements, to create unique subdomains, which are then appended to pre-defined apex domains (e.g., dnsfor.me) to form the complete C2 server address.
The malware can have a primary seed for the main C2 server and additional function-specific seeds for other functionalities. Researchers at Security Intelligence observed that only the main seed C2 server remained active after a few weeks, suggesting the malware updates its seeds frequently.
The Grandoreiro loader, a first stage in the infection chain, employs a multi-step decryption process to protect its functionality and starts with a large, hardcoded key string that’s triple-Base64 encoded.
This key is used to transform the encrypted string into a series of hexadecimal characters. Next, the loader decrypts the result using a custom algorithm based on the key string.
Finally, a 256-bit AES CBC decryption with decryption of the key and initialization vector (IV) using the same custom algorithm retrieves the final plaintext string, and this complex decryption process hinders analysis and protects the loader’s malicious code.