A Brazilian law enforcement operation led to the arrest of several Brazilian operators responsible for the operation Grandoreiro malware.
Brazil’s federal police said they had issued five temporary arrest warrants and 13 search and seizure warrants in the states of Sao Paulo, Santa Catarina, Pará, Goiás and Mato Grosso.
Slovakian cybersecurity firm ESET, which provided further assistance in the endeavor, said it discovered a design flaw in Grandoreiro’s network protocol that helped it identify patterns of victimization.
Grandoreiro is one of many Latin American banking Trojans such as Javali, Melcoz, Casabeniero, Mekotio and Vadokrist, which mainly target countries such as Spain, Mexico, Brazil and Argentina. It is known that it has been active since 2017.
In late October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain.
The banking Trojan has the ability to both steal data via keyloggers and screenshots, and steal bank login information from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. It can also display fake pop-up windows and block victim’s screen.
Attack chains typically exploit phishing lures containing deceptive documents or malicious URLs that, when opened or clicked, lead to the distribution of malware, which then establishes contact with a command and control (C&C) server to remotely control the machine manually.
“Grandoreiro periodically monitors the foreground window to find one that belongs to a web browser process,” ESET said.
“When such a window is found and its name matches any string from an encoded list of bank-related strings, then and only then does the malware start communication with its C&C server, sending requests at least once per second until is not finished.”
The threat actors behind the malware are also known to use a domain generation algorithm (DGA) since around October 2020 to dynamically identify a target domain for C&C traffic, making it more difficult to block, track, or take control of the infrastructure .
The majority of IP addresses that these domains resolve to are primarily provided by Amazon Web Services (AWS) and Microsoft Azure, with C&C IP address lifetimes ranging from 1 day to 425 days. On average, there are respectively 13 active IP addresses and three new C&Cs per day.
ESET further stated that Grandoreiro’s flawed implementation of its RealThinClient (RTC) network protocol for C&C made it possible to obtain information on the number of victims connected to the C&C server, i.e. 551 unique victims in one day on average, distributed mainly throughout Brazil. , Mexico and Spain.
Further investigation found that an average number of 114 new unique victims connect to C&C servers every day.
“The jamming operation conducted by the Federal Police of Brazil targeted individuals believed to be at the top of the hierarchy of Operation Grandoreiro,” ESET said.