lobal cybersecurity and digital privacy company Kaspersky has raised concerns over the increasing spread of the Grandoreiro banking trojan. This dangerous malware has been causing widespread disruption across the world, posing a serious threat to banking institutions and users alike.
Kaspersky reports that the Grandoreiro banking trojan, active since 2016, has intensified its attacks this year, targeting over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries. In 2024 alone, these attacks have accounted for 5% of all banking trojan incidents. Of particular concern is a newly-discovered “light” variant of Grandoreiro, which has already targeted around 30 banks in Mexico.
Grandoreiro has also spread to several African nations, including Algeria, Angola, Ethiopia, Ghana, Côte d’Ivoire, Kenya, Mozambique, Nigeria, South Africa, Tanzania, and Uganda, further highlighting the global threat posed by this malware.
An Evolving Cyber Threat
Following a coordinated action by INTERPOL that led to the arrest of Brazilian operators behind a Grandoreiro campaign, Kaspersky uncovered a disturbing trend: the trojan’s codebase has been split into lighter, fragmented versions, allowing the attackers to continue their operations. These variants have been particularly problematic for financial institutions in Mexico in 2024. Kaspersky notes that the developers of Grandoreiro likely have access to its source code, enabling them to launch new campaigns with simplified versions of the malware.
“This evolving threat highlights the adaptability of cybercriminals,” said Fabio Assolini, head of Kaspersky’s Latin American Global Research and Analysis Team (GReAT). “The lighter versions of Grandoreiro could spread beyond Mexico and Latin America, posing risks to other regions. However, only a select group of trusted affiliates appear to have access to the malware’s source code, which operates differently from the usual ‘Malware-as-a-Service’ model. You won’t find Grandoreiro on underground forums—access is tightly controlled.”
Kaspersky’s analysis also reveals new tactics in 2024 versions of Grandoreiro. These include recording mouse activity to mimic real user behavior, tricking machine-learning-based security systems into viewing the malware’s actions as legitimate. Additionally, Grandoreiro has adopted Ciphertext Stealing (CTS), a cryptographic technique not previously observed in malware, to encrypt malicious code strings.
Recommendations for Protection
To guard against financial malware like Grandoreiro, Kaspersky recommends several key steps for organizations:
- Implement a “Default Deny” policy for critical user profiles.
- Provide staff with cybersecurity awareness training.
- Deploy mail server protection with anti-phishing capabilities, such as Kaspersky Security for Mail Server.
For individual users, Kaspersky advises maintaining vigilance by avoiding suspicious messages, installing applications only from trusted sources, and being cautious when granting permissions. Additionally, using a robust security solution like Kaspersky Premium is recommended.
