Grandoreiro Banking Malware Campaigns Renewed Against Financial Sector in Europe and Latin America

Executive Summary

The Grandoreiro banking trojan, a long-standing threat in Spanish-speaking regions, is experiencing a significant resurgence. New campaigns have been identified targeting financial institutions and their customers across Spain, Mexico, and other parts of Latin America. The malware employs a classic but effective attack chain involving phishing and technical evasion techniques like DLL side-loading. Its primary function is to steal banking credentials by injecting fake overlays into active banking sessions. The renewed activity demonstrates the persistence of this threat and the ongoing risk that sophisticated banking trojans pose to the financial sector.

Threat Overview

Grandoreiro is a banking trojan designed specifically for financial fraud. The latest campaigns continue to focus on its traditional geographic targets, leveraging language and cultural context to increase the effectiveness of its social engineering.

Attack Chain:

1. Initial Access (Phishing): The attack begins with a phishing email, often disguised as an invoice, bill payment notification, or other official-looking correspondence (T1566.001 - Spearphishing Attachment). The email contains a link or an attachment designed to download and execute the initial malware loader.
2. Execution & Defense Evasion: The loader often uses techniques like DLL side-loading (T1574.002 - DLL Side-Loading). This involves placing a malicious DLL in the same directory as a legitimate, signed executable. When the legitimate program is run, it inadvertently loads the malicious DLL, allowing the malware to execute under the guise of a trusted process.
3. Command and Control (C2): The malware abuses legitimate cloud services (e.g., Google Cloud, Microsoft Azure) for its C2 communications. This technique, known as domain fronting or C2 over trusted channels, makes it difficult for network security tools to block the traffic, as it appears to be legitimate communication with a major cloud provider (T1071.001 - Web Protocols).
4. Credential Theft: The trojan's main payload monitors the victim's web browsing. When it detects that the user is visiting a targeted banking website, it uses web injection or fake overlays to present a fraudulent login form. Any credentials, passwords, or MFA codes entered by the user are captured and sent to the attacker's C2 server (T1185 - Browser-in-the-Middle).

Technical Analysis

Grandoreiro's success stems from its focus on stealth and its ability to perform real-time fraud.

• DLL Side-Loading: This is a powerful defense evasion technique because it hijacks the execution flow of a trusted, signed application. Antivirus and application control solutions that rely on reputation may not flag the initial execution.
• Cloud C2: Abusing major cloud infrastructure for C2 is a growing trend. It provides attackers with a resilient, high-availability, and difficult-to-block C2 infrastructure for a very low cost.
• Web Overlays: The use of fake overlays is a form of Man-in-the-Browser (MitB) attack. Because the malware is running on the victim's machine, it can manipulate the content of a legitimate, encrypted HTTPS session, making the attack invisible to network-level security and fooling the user, who sees the correct URL and a valid SSL certificate in their browser.

The resurgence of Grandoreiro shows that even well-known malware families can remain effective for years by simply evolving their delivery mechanisms and C2 infrastructure to keep up with modern defenses.

Impact Assessment

The primary impact of a Grandoreiro infection is direct financial loss for the victim, whether an individual or a business. By stealing credentials and MFA codes, attackers can gain full access to bank accounts to perform unauthorized transfers.

For the targeted banks, the impact includes:

• Fraud Losses: Banks often have to reimburse customers for fraudulent transactions, leading to direct financial costs.
• Reputational Damage: A high volume of fraud among a bank's customer base can erode trust in the bank's security.
• Increased Support Costs: The bank's customer service and fraud departments are burdened with handling a surge in incidents.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) were provided in the summarized articles.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of banking trojan activity:

Detection & Response

• Endpoint Detection: Deploy EDR solutions that can detect DLL side-loading by monitoring for processes loading DLLs from unusual paths. Heuristic and behavioral analysis can also identify web injection and other MitB techniques. This is an application of D3FEND's Process Analysis (D3-PA).
• Egress Filtering: While blocking all cloud provider IPs is not feasible, organizations can implement more granular egress filtering. Deny outbound traffic from user workstations to all destinations by default, and only allow traffic to specific, categorized URLs required for business. This makes it harder for malware to establish C2.
• User Education: Train users to be suspicious of any unusual behavior on banking websites, such as being asked to re-enter credentials or seeing unexpected pop-ups.

Mitigation

• Email Security Gateway: Use a modern email security solution that can scan for malicious attachments and links, and use sandboxing to detonate potential phishing payloads before they reach the user's inbox.
• Attack Surface Reduction (ASR) Rules: For Windows environments, enable Microsoft Defender's ASR rules, such as the rule that blocks executable files from running unless they meet a certain age or prevalence criteria, which can stop novel malware loaders.
• Browser Security: Encourage or enforce the use of browser extensions that provide anti-phishing and anti-tracking protection.
• Transaction Monitoring: On the banking side, use backend fraud detection systems that can identify anomalous transactions, even if they are initiated from a legitimate user's device with valid credentials.