Since March 2024, IBM X-Force is tracking several large scale phishing campaigns distributing the Grandoreiro banking trojan; which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries including regions in Central/South America, Africa, Europe, and the Indo-Pacific. Although campaigns have traditionally been limited to Latin America, Spain and Portugal, X-Force observed recent campaigns impersonating government entities in Mexico, Argentina and South Africa. The reworked malware and new targeting may indicate a change in strategy since the latest law enforcement action against Grandoreiro operators. As a result, it is likely that attackers will start expanding the deployment of Grandoreiro in global phishing campaigns, starting already with South Africa. Key Findings: Grandoreiro is a multi-component banking trojan likely operated as a Malware-as-a-Service (MaaS)It is actively deployed in phishing campaigns impersonating Mexico’s Tax Administration Service (SAT), Mexico’s Federal Electricity Commission (CFE), Mexico’s Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS)The banking trojan specifically targets over 1500 global banking applications and websites in over 60 countries including regions in Central/South America, Africa, Europe, and the Indo-PacificThe latest variant contains major updates including string decryption and DGA calculation, allowing at least 12 different C2 domains per dayGrandoreiro supports harvesting email addresses from infected hosts and using their Microsoft Outlook client to send out further phishing campaigns
Sample Indicators of Compromise:
https://officebusinessaccount.eastus.cloudapp.azure.com/?PDF-XML-f8f2c7020b2d38c806b5911acb373578cbd69612cbe7f21f172550f4b5d02fdbhttps://pjohconstruccionescpaz.com/?8205-23069071&tokenValue=92b768ccface4e96cee662517800b208f88ff79610b498562aef754156e2b540754bf1ccf9a9cb62c732bf9b661746dd08c67bd1afd53240a591daf50f556ca952278cf098dbc5b6c2b16c3e46ab5a0b167afb40
