A Brazilian regulation enforcement operation has led to the arrest of a number of Brazilian operators answerable for the Grandoreiro malware.
The Federal Police of Brazil mentioned it served 5 short-term arrest warrants and 13 search and seizure warrants within the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.
Slovak cybersecurity agency ESET, which supplied extra help within the effort, mentioned it uncovered a design flaw in Grandoreiro’s community protocol that helped it to determine the victimology patterns.
Grandoreiro is likely one of the many Latin American banking trojans similar to Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily concentrating on international locations like Spain, Mexico, Brazil, and Argentina. It is recognized to be lively since 2017.
In late October 2023, Proofpoint revealed particulars of a phishing marketing campaign that distributed an up to date model of the malware to targets in Mexico and Spain.
The banking trojan has capabilities to each steal knowledge via keyloggers and screenshots in addition to siphon financial institution login info from overlays when an contaminated sufferer visits pre-determined banking websites focused by the risk actors. It may possibly additionally show faux pop-up home windows and block the sufferer’s display.
Attack chains usually leverage phishing lures bearing decoy paperwork or malicious URLs that, when opened or clicked, result in the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a guide trend.
“Grandoreiro periodically screens the foreground window to seek out one which belongs to an online browser course of,” ESET mentioned.

“When such a window is discovered and its title matches any string from a hardcoded listing of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests not less than as soon as a second till terminated.”
The risk actors behind the malware are additionally recognized to make use of a website technology algorithm (DGA) since round October 2020 to dynamically determine a vacation spot area for C&C visitors, making it tougher to dam, monitor, or take over the infrastructure.
A majority of the IP addresses these domains resolve to are supplied primarily by Amazon Internet Providers (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging anyplace between 1 day to 425 days. On common, there are 13 lively and three new C&C IP addresses per day, respectively.
ESET additionally mentioned that Grandoreiro’s flawed implementation of its RealThinClient (RTC) community protocol for C&C made it potential to get details about the variety of victims which can be linked to the C&C server, which is 551 distinctive victims in a day on common primarily unfold throughout Brazil, Mexico, and Spain.
Additional investigation has discovered that a median variety of 114 new distinctive victims connect with the C&C servers every day.
“The disruption operation led by the Federal Police of Brazil aimed toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy,” ESET mentioned.