Enforcement Of Brazilian Law To Catch The Grandoreiro Malware’s Operators Red-Handed

How surprising the matter it is! It has come to notice that a renowned Brazilian law implementation operation has resulted in the red-handed catch of various Brazilian operators. It is all because of the Grandoreiro malware they used.

Brazil’s Federal Police said that it set out around 5 temporary arrest warrants and along with 13 search & seizure warrants in the states namely-

  • São Paulo
  • Santa
  • Catarina 
  • Pará
  • Goiás 
  • Mato Grosso

But the good news is that a cybersecurity firm in Slovak, famous as ESET offered additional help to disclose a design vulnerability in the network protocol namely- Grandoreiro. As an outcome, it assisted in recognizing the victimology patterns.

Grandoreiro is truly one of the Latin American banking trojans. These trojans are namely-

  • Javali
  • Melcoz
  • Casabeniero
  • Mekotio
  • Vadokrist

All users may be surprised to know that these Trojans made so many developed & developing countries their key target. The Trojan has been active for the last 7 years. The list of the impacted countries is as follows-

  • Spain
  • Mexico
  • Brazil
  • Argentina 

Significant details related to a phishing campaign allocated the latest version to the malware in late October 2023. The main purpose of the distribution of this virus is to target two exclusive regions namely- Mexico and Spain

There is an existence of a banking trojan. It is capable of not only stealing confidential information via keyloggers & screenshots but also draining the crucial login details of the bank. It refers to the situation when a victim,  infected by the incident visits the pre-decided banking sites that have already been targeted by the threat actors. One of the matters of worry is that it can cause the blockage of the victim’s screen as well as demonstrate duplicate pop-up windows.

Typically, all of the prevalent attack chains enhance phishing temptations. As a consequence, it bears decoy documents as well as malicious URLs.  As soon as an individual opens or tries to click on these links, it leads to the ultimate deployment of malware. After some time, it contributes to making contact with a command-and-control (C&C) server. It is so because of the aim of having control over the machine manually.

In the words of ESET, “Grandoreiro periodically monitors the foreground window to find one that is concerned with a web browser procedure.”

Whenever you find such a window, the name of which matches one of the strings from a hardcoded list of bank-related strings, as an outcome-

  • The malware begins communicating with its C&C server
  • Sending requests for a second until & unless it is terminated

Do you know what the threat actors do actually? Well, they have been making their contribution by employing a domain-generation algorithm since October 2020. It allows them to recognize a destination domain for C&C traffic and also to enable the attackers to block or even track.

There are only a few who know that most of the IP addresses that these domains resolve are the grant of Amazon Web Services (AWS) and Microsoft Azure. You should also be aware that IP addresses can range anywhere between 1- 425 days. As per the rough estimation, there are around 13 active & 3 new C& C IP addresses every day.

In the words of ESET, Grandoreiro's defective execution of its RTC- (RealThinClient) network protocol for C&C allowed it to acquire the details about a myriad of victims. All of them are already interlinked with the C&C server. The exact number of unique victims was 551 in a day. And they spread across noteworthy countries namely Brazil, Mexico, and Spain.

Later on, an investigation was conducted and it has been observed that an average of 114 new unique victims connect to the C&C servers every day.

In the words of ESET, “ The disruption operation led by the Federal Police of Brazil aimed at individuals who are believed to be high up in the Grandoreiro operation hierarchy.”