Kaspersky uncovers new variant of Grandoreiro Banking Trojan, a threat to global security

Despite the arrests of key operators in early 2024, the Grandoreiro banking Trojan continues to be used by its partners in new campaigns. The Kaspersky Global Research and Analysis Team (GReAT) has identified a new light variant specifically targeting around 30 banks in Mexico.

These findings will be showcased at the upcoming Security Analyst Summit (SAS) 2024. Grandoreiro remains a significant global threat, accounting for approximately five percent of all banking Trojan attacks this year, with Mexico reporting 51,000 recorded incidents.

Following a coordinated action with INTERPOL that led to arrests in Brazil, Kaspersky discovered that the malware’s codebase has been split into lighter, fragmented versions. This allows the group to sustain their attacks, with the new variant focusing on Mexican financial institutions.

Fabio Assolini, head of Kaspersky’s Latin American GReAT, notes, “These developments underscore the evolving nature of the threat. Fragmented and lighter versions may signal a trend that could extend beyond Mexico to other regions, including parts of Latin America.”

Assolini adds that access to the malware’s source code seems limited to trusted affiliates, distinguishing Grandoreiro from the traditional ‘Malware-as-a-Service’ model. It is not advertised on underground forums; instead, its access appears restricted.

Multiple variants of Grandoreiro, including the newly identified light version, accounted for about five percent of global banking Trojan attacks reported by Kaspersky in 2024. Kaspersky’s analysis has revealed new tactics aimed at evading detection.

The malware now records mouse activity to imitate genuine user behavior, deceiving machine learning-based security systems. By replicating natural mouse movements, it misleads anti-fraud tools into viewing its activities as legitimate.

Additionally, Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS). This technique encrypts malicious code strings, making detection more challenging for security tools.

Assolini explains that Grandoreiro’s complex structure would facilitate detection if its strings were not encrypted. This likely prompted the introduction of the new technique to complicate the detection and analysis of its attacks.

Since its emergence in 2016, Grandoreiro has significantly expanded its reach. In 2024, it targets over 1,500 financial institutions and 276 cryptocurrency wallets across 45 countries and territories, with Asia and Africa now included.

These developments establish Grandoreiro as a truly global financial threat.