Grandoreiro, the banking trojan that was dismantled in January this year, is back. This is evident from a new report from IBM’s cybersecurity division, X-Force, which claims that the trojan has been updated and is now targeting a much wider area.
At the end of January this year, Brazil’s Federal Police, together with Interpol, the Spanish National Police, ESET and Caixa Bank, dismantled the Trojan operation, arresting five people and conducting thirteen search and seizure operations across Brazil.
At the time, Grandoreiro was said to have been around for seven years and focused primarily on Spanish-speaking countries.
Updates for the malware
Now IBM’s X-Force says it has spotted a new campaign, which launched in March this year. For now, the goal is simply to deploy the Trojan to as many victims as possible, and to that end the attackers are using a malware-as-a-service model. The target is more than 1,500 banks worldwide, located in 60 countries around the world (Central and South America, Africa, Europe and the Indo-Pacific region).
It’s also worth noting that the malware actively avoids endpoints in countries like Russia, Czech Republic, Poland, and the Netherlands, and it doesn’t run on Windows 7 devices in the US, which don’t have antivirus programs installed.
In addition to attacking more people, Gradoreiro was also updated.
“Analysis of the malware revealed important updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to distribute further phishing emails,” the researchers explained .
“To communicate with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to develop Outlook add-ins,” the researchers said. “The main reason behind this is that Outlook Object Model Guard triggers security alerts when it detects access to protected objects.”
As usual, the best way to defend against these attacks is to be vigilant with all incoming email messages.
Through The hacker news