Kaspersky has assisted an INTERPOL-coordinated action, which has led to Brazilian authorities arresting five administrators behind a Grandoreiro banking trojan operation. According to conservative estimates, the banking trojan operators are believed to have defrauded victims of more than 3.5 million euros (more than PHP 214 million).
Grandoreiro is a Brazil-originated banking trojan, which, according to Kaspersky data, has been active since at least 2016. Attacks using Grandoreiro frequently start with a spear-phishing email written in Spanish, Portuguese, or English. Once installed on a victim machine, the trojan tracks keyboard inputs, simulates mouse activity, shares screens, collecting data such as usernames, operating system information, device runtime, and, most importantly, bank identifiers. With full control over victims’ bank accounts, criminals empty them, sending funds through a money mule network to launder the illicit proceeds.
The trojan has many versions, which might indicate that different operators are involved in the development of the malware, with Kaspersky experts having seen Grandoreiro operating as a Malware-as-a-Service (MaaS) project. The prolific banking malware targets more than 900 financial institutions in more than 40 countries in North and Latin America, and Europe.
As part of the current joint effort, Kaspersky along with INTERPOL’s other private partners contributed to the analysis of Grandoreiro malware samples, gathered by Brazilian and Spanish national cybercrime investigations between 2020 and 2022. In 2020-2022, Kaspersky products detected 150,000 attacks with the use of Grandoreiro banking trojan on 40,000 users worldwide. Brazil, Spain, Mexico, Portugal, Argentina, and the USA turned out to be the most affected countries.
As a result, by August 2023, analytical reports had been produced that had identified overlaps between the samples, allowing investigators to close in on the organized crime group.
“We have been witnessing Grandoreiro’s campaigns since at least 2016. Over time, the attackers have been regularly improving techniques, striving to stay undetected and active for longer periods of time. In these circumstances, it is extremely important for financial institutions to stay vigilant while also improving their anti-fraud technologies and threat intelligence data. Greater synergy between private and public partners is also pivotal for combating against such cybercrimes and ensuring a safer environment for users and organizations worldwide,” comments Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky.
Emphasizing the importance of a collective approach, Craig Jones, Director of INTERPOL’s Cybercrime unit, said: “This operational success vividly underscores the importance of sharing intelligence through INTERPOL, and why we are committed to acting as a bridge between public and private sectors. It also sets the stage for further cooperation in the region.”
As trojan families, like Grandoreiro, have been actively expanding abroad, Kaspersky experts expect to see increased exploitation of mobile banking trojans. According to the company’s predictions for crimeware and financial threats in 2024, we might see Brazilian banking trojans trying to fill the void left by desktop banking trojans, with the resurgence of these trojans becoming one of the trends dominating the financial threat landscape this year.