|
ESET Research joins global operation to disrupt the Grandoreiro banking trojan operating in Latin America and Spain
Wednesday, February 7, 2024
-- ESET worked alongside the Federal Police of Brazil in an attempt to
disrupt the Grandoreiro botnet.
-- ESET contributed to the project by providing technical analysis,
statistical information, and known command and control (C&C) server
domain names and IP addresses.
-- This disruption operation was aimed at individuals who are believed to
be high up in Grandoreiro's operational hierarchy.
-- Further investigation performed by the Federal Police of Brazil led to
the identification and arrest of the individuals in control of the
botnet.
-- Grandoreiro has been active since at least 2017.
-- Grandoreiro targets Brazil, Mexico, Spain, and Argentina.
-- Grandoreiro can block a victim's screen, log keystrokes, simulate mouse
and keyboard activity, share the victim's screen, and display fake
pop-up windows.
SAN DIEGO, Jan. 30, 2024 /PRNewswire/ -- ESET, a global leader in digital security, today announced it collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro's network protocol, ESET researchers were also able to get a glimpse into the victimology.
This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro's operational hierarchy. The investigation by the Federal Police of Brazil led to multiple arrests. ESET researchers provided data crucial to identifying the accounts responsible for setting up and connecting to the Grandoreiro C&C servers.
Grandoreiro is one of many Latin American banking trojans. It has been active since at least 2017, and ESET researchers have been closely tracking it since then. Grandoreiro targets Brazil, Mexico, Spain, and, since 2023, Argentina.
Functionality-wise, Grandoreiro hasn't changed very much since the last ESET Research blog post about the group in 2020. Despite that, Grandoreiro has been undergoing rapid and constant development. Occasionally, we even observed several new builds a week; for example, this has amounted to a new version on average every four days between February 2022 and June 2022.
The operator still has to interact manually with the compromised machine in order to steal a victim's money. The malware allows the following actions:
-- Blocking victims' screens
-- Logging keystrokes
-- Simulating mouse and keyboard activity
-- Sharing the victims' screen(s)
-- Displaying fake pop-up windows
"ESET automated systems have processed tens of thousands of Grandoreiro samples. The domain generation algorithm (DGA) that the malware has used since around October 2020 produces one main domain per day, and it is the only way Grandoreiro is able to establish connection to a C&C server. Beside the current date, the DGA accepts a huge static configuration as well," says ESET Researcher Jakub Sou?ek, who coordinated the team that analyzed Grandoreiro and other Latin American banking trojans. "Grandoreiro is similar to other Latin American banking trojans mainly via its obvious core functionality and in bundling its downloaders within MSI installers."
Grandoreiro's implementation of its network protocol allowed ESET researchers to take a peek behind the curtain and get a glimpse of the victimology. Grandoreiro's C&C servers give away information about victims connected at the time of the initial request made to each newly connected victim. By examining this data for more than a year, we conclude that 66% were Windows 10 users, 13% used Windows 7, Windows 8 represented 12%, and 9% were Windows 11 users. Since Grandoreiro reports unreliable geographical distribution of its victims, we refer to ESET telemetry: Spain accounts for 65% of all victims, followed by Mexico with 14%, Brazil with 7%, and Argentina with 5%; the remaining 9% of victims are located in other Latin American countries. We also note that in 2023, we saw a significant decrease of Grandoreiro's activity in Spain, compensated with increased campaigns in Mexico and Argentina.
For more technical information about Grandoreiro, check out the blog post "ESET takes part in global operation to disrupt the Grandoreiro banking trojan" on WeLiveSecurity. Make sure to follow ESET Research on Twitter (currently known as X) for the latest news from ESET Research.
About ESET
For more than 30 years, ESET(®) has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter (X).
View original content:https://www.prnewswire.com/news-releases/eset-research-joins-global-operation-to-disrupt-the-grandoreiro-banking-trojan-operating-in-latin-america-and-spain-302048426.html
SOURCE ESET
|
|
|
|
|
|
 |
Weekly Recap: 11 Tech Press Releases You Need to See | Jan 22, 2026
|
|
Sup AI Sets New Benchmark Record with 52.15% on Humanity's Last Exam | Jan 22, 2026
|
|
DEADLINE ANNOUNCED FOR 2026 NEW TOP-LEVEL DOMAIN APPLICATIONS | Jan 22, 2026
|
|
Trigent Partners with WeWork India to Expand its GCC Footprint | Jan 22, 2026
|
|
Skunk Works® and XTEND Expand Joint All Domain Command and Control for Advanced Mission Execution | Jan 22, 2026
|
|
Exia Labs Brings Keystone to the U.S. Navy via DIU's Blue Object Management Challenge | Jan 22, 2026
|
|
Altair HyperWorks 2026 Delivers Design and Simulation at Scale with AI | Jan 22, 2026
|
|
Glasswall Brings Defense-Level File Sanitization to Every Government Agency and Business Using Microsoft 365 | Jan 22, 2026
|
|
Buyers Edge Platform Appoints Jaime Selga to Lead Expansion Across the Middle East, Africa & Asia | Jan 22, 2026
|
|
Genpact Named a Leader in ISG Provider Lens(TM) 2025 for Insurance GCCs and Agentic AI Services | Jan 22, 2026
|
|
|
|
