Press Center

Malware and antivirus software

News

ESET Research joins global operation to disrupt the Grandoreiro banking trojan operating in Latin America and Spain

Created: 2024-02-02 08:07:49

  • ESET worked alongside the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet.
  • ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses.
  • This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy.
  • Further investigation performed by the Federal Police of Brazil led to the identification and arrest of the individuals in control of the botnet.
  • Grandoreiro has been active since at least 2017.
  • Grandoreiro targets Brazil, Mexico, Spain, and Argentina.
  • Grandoreiro can block a victim’s screen, log keystrokes, simulate mouse and keyboard activity, share the victim’s screen, and display fake pop-up windows.

BRATISLAVA, PRAGUE — January 30, 2024 — ESET collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.

This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy. The investigation by the Federal Police of Brazil led to multiple arrests. ESET researchers provided data crucial to identifying the accounts responsible for setting up and connecting to the Grandoreiro C&C servers.

Grandoreiro is one of many Latin American banking trojans. It has been active since at least 2017, and ESET researchers have been closely tracking it since then. Grandoreiro targets Brazil, Mexico, Spain, and, since 2023, Argentina.

Functionality-wise, Grandoreiro hasn’t changed very much since the last ESET Research blog post about the group in 2020. Despite that, Grandoreiro has been undergoing rapid and constant development. Occasionally, we even observed several new builds a week; for example, this has amounted to a new version on average every four days between February 2022 and June 2022.

The operator still has to interact manually with the compromised machine in order to steal a victim’s money. The malware allows the following actions:

  • Blocking victims’ screens
  • Logging keystrokes
  • Simulating mouse and keyboard activity
  • Sharing the victims’ screen(s)
  • Displaying fake pop-up windows

“ESET automated systems have processed tens of thousands of Grandoreiro samples. The domain generation algorithm (DGA) that the malware has used since around October 2020 produces one main domain per day, and it is the only way Grandoreiro is able to establish connection to a C&C server. Beside the current date, the DGA accepts a huge static configuration as well,” says ESET Researcher Jakub Souček, who coordinated the team that analyzed Grandoreiro and other Latin American banking trojans. “Grandoreiro is similar to other Latin American banking trojans mainly via its obvious core functionality and in bundling its downloaders within MSI installers.”

Grandoreiro’s implementation of its network protocol allowed ESET researchers to take a peek behind the curtain and get a glimpse of the victimology. Grandoreiro’s C&C servers give away information about victims connected at the time of the initial request made to each newly connected victim. By examining this data for more than a year, we conclude that 66% were Windows 10 users, 13% used Windows 7, Windows 8 represented 12%, and 9% were Windows 11 users. Since Grandoreiro reports unreliable geographical distribution of its victims, we refer to ESET telemetry: Spain accounts for 65% of all victims, followed by Mexico with 14%, Brazil with 7%, and Argentina with 5%; the remaining 9% of victims is located in other Latin American countries.. We also note that in 2023, we saw a significant decrease of Grandoreiro’s activity in Spain, compensated with increased campaigns in Mexico and Argentina.

For more technical information about Grandoreiro, check out the blog post “ESET takes part in global operation to disrupt the Grandoreiro banking trojan” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (currently known as X) for the latest news from ESET Research.


About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

back

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.