Interpol's Operation against Grandoreiro Trojan and Its Resurgence
TapTechNews May 22nd news, Interpol carried out a transnational law enforcement operation in Brazil and Spain in January this year, successfully interrupting the operation of the financial Trojan Grandoreiro. However, researchers have recently discovered that the related Trojan has come back to life again, showing'signs of renewed activity'.
According to the report of IBM's security team X-Force, since March, the Grandoreiro Trojan has shown'signs of large-scale spread' again. The security department speculates that the hacker organization may provide this Trojan to other hackers for use in a subscription model through a leasing service.
Researchers pointed out that the Grandoreiro Trojan in this case has a wide range of impacts, involving more than 60 countries in Central and South America, Africa, Europe, etc., affecting the customers of more than 1500 banks globally.
TapTechNews learned from the report that the relevant hackers impersonated the names of the Mexican Tax Administration (SAT), the Mexican Federal Electricity Commission (CFE), the Mexican Minister of Administration and Finance, the Argentine Tax Authority and the South African Tax Authority (SARS), etc., sending phishing mails in the recipient's native language, and诱导 unsuspecting recipients to click on the links in the mails under the name of viewing invoices, financial statements or tax information. Once the recipient follows the instructions, they will be guided to download the malicious Trojan.
The security company claims that the recently emerged version of Grandoreiro has several improvements compared to the past version. The hackers have introduced AESCBC and combined it with their own algorithm for data encryption, and also introduced a Domain Generation Algorithm (DGA) to obtain the IP address of the C&C server, and at the same time built a series of loaders to prevent security companies from detecting Trojan behavior in the sandbox environment.
In addition, the attack range of this malicious Trojan has now expanded from 'collecting the online banking key on the user's device' to 'collecting the user's digital currency wallet information'. The Trojan has also added an automatic spreading mechanism that will use the Outlook client on the victim's device to randomly send phishing mails to others using the victim's mail address.