Published on: 2025-03-28

Intelligence Report: Crooks are reviving the Grandoreiro banking trojan – Securityaffairs.com

1. BLUF (Bottom Line Up Front)

A new phishing campaign has been identified, targeting users in Latin America and Europe with the Grandoreiro banking trojan. Initially focused on Brazil, the campaign has expanded to Mexico, Portugal, and Spain. The trojan uses sophisticated obfuscation techniques to evade detection and is hosted on virtual private servers. The primary objective is credential theft, with attackers frequently altering their tactics to avoid cybersecurity measures. Immediate attention and action are required to mitigate the threat.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The Grandoreiro trojan is a modular backdoor that supports various capabilities, including credential theft and system infiltration. The campaign employs phishing emails impersonating tax agencies, with malicious links hosted on Contabo servers. Once the user clicks the link, a Visual Basic script disguised as a PDF is downloaded, leading to the execution of a Delphi-based executable. This malware searches for personal data, including Bitcoin wallets, and communicates with a server using custom URI clients on unusual ports. The attackers’ use of encrypted and password-protected files complicates detection and mitigation efforts.

3. Implications and Strategic Risks

The resurgence of the Grandoreiro trojan poses significant risks to financial institutions and individual users in the targeted regions. The campaign’s expansion into multiple countries increases the potential for widespread economic disruption. The use of sophisticated obfuscation techniques and frequent changes in attack vectors highlight a growing trend in cybercriminal strategies, posing challenges to national security and regional stability. The economic interests of affected countries are at risk due to potential financial losses and reputational damage.

4. Recommendations and Outlook

Recommendations:

• Enhance cybersecurity awareness and training for individuals and organizations to recognize and respond to phishing attempts.
• Implement advanced threat detection systems capable of identifying obfuscated malware and unusual network activity.
• Encourage collaboration between international cybersecurity agencies to share intelligence and develop coordinated response strategies.

Outlook:

In the best-case scenario, increased awareness and improved cybersecurity measures will mitigate the impact of the Grandoreiro campaign. In the worst-case scenario, the trojan could lead to significant financial losses and undermine trust in digital financial systems. The most likely outcome involves ongoing efforts to counteract the threat, with periodic disruptions as attackers adapt their tactics.

5. Key Individuals and Entities

The report identifies Forcepoint Labs as the research entity uncovering the campaign. The attackers utilize Contabo servers for hosting malicious links. The campaign targets users in Mexico, Argentina, and Spain, among others. The involvement of these entities and regions underscores the need for a coordinated response to this evolving threat.