At the upcoming Security Analytics Summit (SAS) 2024, Kaspersky’s Global Research and Analysis Team (GReAT) is set to unveil a significant finding: a Lite version of the recently identified Grandoreiro malware.
Grandoreiro has emerged as one of the foremost threats in banking security, currently targeting over 1,700 financial institutions—a figure that represents approximately 5% of global banking attacks involving trojans. This year, Mexico has experienced substantial impacts, with more than 51,000 attacks linked to various Grandoreiro variants, including the newly discovered Lite version.
Following a collaborative operation with INTERPOL, which led to the arrest of operators behind a Grandoreiro bank attack in Brazil, Kaspersky uncovered that the criminal group had fragmented the source code into more manageable versions. The Lite variant specifically targets around 30 banks in Mexico, indicating that the creators of the Grandoreiro malware still possess the source code and are actively deploying a simplified version for new attack campaigns.
Fabio Assolini, Head of Kaspersky’s GReAT for Latin America, elaborated on the evolving landscape of malware threats: “The advancements in recently developed malware are evident. Lightweight variations may signify a potential trend of these attacks spreading beyond Latin America. However, access to the source code appears to be restricted to a select few trusted partners within the Grandoreiro network, differing from conventional ‘Malware-as-a-Service’ models prevalent in online forums.”
In 2024, Kaspersky reported that various Grandoreiro variants accounted for around 5% of all trojan-based banking attacks worldwide, underscoring the potency of this malware family on a global scale.
Kaspersky’s investigations into the latest Grandoreiro variants reveal that cybercriminals are employing increasingly sophisticated tactics. For instance, the malware can record mouse movements to imitate genuine user behavior and evade security measures reliant on behavioral analysis and machine learning. This tactic allows the malware to deceive anti-phishing tools and disguise unusual activity within the system.
Moreover, Grandoreiro utilizes a unique encryption technique known as Ciphertext Stealing (CTS), which has not been previously seen in malware. This approach encrypts strings within the malware, complicating detection efforts by security professionals and analysts. Assolini noted, “Given the complex structure of Grandoreiro, unencrypted chains could easily alert security tools. The introduction of this encryption technique likely aims to obscure attacks from detection.”
Kaspersky’s data indicates that Grandoreiro has been operational since 2016, and by 2024, it had targeted over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries and territories. Recent developments have seen Asia and Africa join the list of targeted regions, further solidifying Grandoreiro’s status as a global financial threat.
