Even after significant arrests in early 2024, the Grandoreiro banking Trojan is still being exploited by its partners in new campaigns. Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new light variant that primarily targets around 30 banks in Mexico. This discovery will be presented at the upcoming Security Analyst Summit (SAS) 2024. Grandoreiro remains one of the most prominent threats worldwide, affecting over 1,700 banks and accounting for approximately five percent of banking Trojan attacks this year, with Mexico alone reporting 51,000 incidents.
Since its emergence in 2016, Grandoreiro has expanded to target over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries, recently including targets in Asia and Africa. Following an INTERPOL-coordinated operation that led to the arrest of operators in Brazil, Kaspersky found that the malware’s codebase has been fragmented into lighter versions to sustain ongoing attacks.
Fabio Assolini, head of Kaspersky’s Latin American division, noted that these developments highlight the evolving nature of the threat. He emphasized that access to the source code is likely restricted to a select group, differentiating Grandoreiro from traditional ‘Malware-as-a-Service’ models.
Multiple variants of Grandoreiro, including the new light version, accounted for about five percent of global banking Trojan attacks detected by Kaspersky in 2024. The malware employs tactics such as recording mouse activity to mimic legitimate user behavior and has introduced a cryptographic technique called Ciphertext Stealing (CTS) to encrypt its code strings, complicating detection efforts.
To guard against financial malware, Kaspersky recommends that organizations implement a Default Deny policy for critical user profiles, provide cybersecurity training for staff, and utilize anti-phishing mail server solutions. Individuals should be vigilant, avoid suspicious links, use trusted security software, and keep applications updated.
