No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
Microsoft® Windows OS Android OS |
Advisory ID: |
ngCERT-2024-0019 |
Version: |
N/A |
CVE: |
N/A |
Published: |
May 27, 2024 |
Grandoreiro, a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), is targeting more than 1,500 banks globally. According to reports, the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific. Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria. The new version includes significant changes such as string decryption and DGA calculation, allowing at least 12 different C2 domains per day. Grandoreiro's attack chain includes obtaining email addresses from affected hosts and delivering more phishing attempts through the Microsoft Outlook client. Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.
The Grandoreiro banking trojan is spread through large-scale phishing campaigns, where threat actors send emails impersonating government entities and financial institutions. These emails entice recipients to click on links to view documents or notices such account statements, make payments, leading to the download of a ZIP file containing a loader executable. The loader is designed to evade antivirus detection by inflating its size and presenting a CAPTCHA to distinguish real users from automated systems. Once executed, the loader checks the environment to avoid sandboxes or unprotected Windows 7 machines and collects victim data such as computer and user names, operating system version, antivirus name, public IP address, and running processes. This information is encrypted and sent to a command & control (C2) server. The malware also checks for Microsoft Outlook clients, crypto wallets, and specific banking security products. To ensure persistence, the malware modifies the Windows registry and uses a Domain Generation Algorithm (DGA) for C2 communication. It harvests email addresses from Outlook, sending further phishing emails from the victim’s account after disabling Outlook alerts. It avoids collecting certain email addresses like those with "noreply" or "newsletter" and scans victim folders for files with specific extensions to find more addresses. The malware sends spam emails based on templates from its C2 server, ensuring the emails are sent when the user is inactive for a certain period, and immediately deletes all the sent emails from the victim’s mailbox. Besides its banking trojan capabilities, the malware allows cybercriminals to control the infected computer, perform keylogging, manage windows and processes, open a browser and execute JavaScript, upload or download files, and send emails.
The following could happen if this banking malware is successfully installed:
It is therefore recommended that system administrators and users should: