Despite the arrest of important operators in early 2024, Grandoreiro continues to be used by its partners in new campaigns. Kaspersky global research and analysis team (GReAT) has discovered a new light version focused on Mexico targeting around 30 banks.
Kaspersky data indicates Grandoreiro has been active since 2016. In 2024, the threat has targeted more than 1 700 financial institutions and 276 cryptocurrency wallets across 45 countries and territories. Among countries affected in Africa are Algeria, Angola, Ethiopia, Ghana, Ivory Coast, Kenya, Mozambique, Nigeria, South Africa, Tanzania and Uganda.
After assisting an INTERPOL-coordinated action, which led to Brazilian authorities arresting operators behind a Grandoreiro banking trojan operation, Kaspersky discovered that the group’s codebase has been split into lighter, fragmented versions of the trojan to continue its attacks. Recent analysis has identified a specific light version focused primarily on Mexico. The creators likely have access to the source code and are launching new campaigns using the simplified legacy malware.
“All the recent developments underscore the evolving nature of the threat,” Fabio Assolini, head of the Latin American GReAT at Kaspersky said. “Fragmented and lighter versions may represent a trend that could extend beyond Mexico and into other regions, including beyond Latin America. However, we believe that only some trusted affiliates have access to the malware source code to develop such lighter versions. Grandoreiro operates differently to the traditional “Malware-as-a-Service” model we are accustomed to. You won’t find announcements on underground forums selling the Grandoreiro package; instead access to it appears to be limited.”
Multiple variants of Grandoreiro, including the new light version and the primary malware, accounted for approximately 5% of global banking trojan attacks detected by Kaspersky in 2024, making it one of the most active threats worldwide. Kaspersky has also analysed newer samples of the primary Grandoreiro from 2024 and observed new tactics. It records mouse activity to mimic real user patterns, aiming to evade detection by machine learning-based security systems that analyse behaviour. By replaying natural mouse movements, the malware aims to trick anti-fraud tools into seeing the activity as legitimate.
Additionally, Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS), which Kaspersky has never seen used in malware. In this case, its aim is to encrypt the malicious code strings. Grandoreiro has a large and complex structure – if its strings were not encrypted, it would be easier for security tools or analysts to detect, explained Assolini. “This is likely why they introduced this new technique – to complicate the detection and analysis of their attacks.”