• ESET worked alongside the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet.
• ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses.
• This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy.
• Further investigation performed by the Federal Police of Brazil led to the identification and arrest of the individuals in control of the botnet.
• Grandoreiro has been active since at least 2017.
• Grandoreiro targets Brazil, Mexico, Spain, and Argentina.
• Grandoreiro can block a victim’s screen, log keystrokes, simulate mouse and keyboard activity, share the victim’s screen, and display fake pop-up windows.
BRATISLAVA, PRAGUE — January 30, 2024 — ESET collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victims impacted.
This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy. The investigation by the Federal Police of Brazil led to multiple arrests. ESET researchers provided data crucial to identifying the accounts responsible for setting up and connecting to the Grandoreiro C&C servers.
Grandoreiro is one of many Latin American banking trojans. It has been active since at least 2017, and ESET researchers have been closely tracking it since then. Grandoreiro targets Brazil, Mexico, Spain, and, since 2023, Argentina.
Grandoreiro hasn’t changed much since the last ESET Research blog post about the group in 2020. Despite that, Grandoreiro has been undergoing rapid and constant development. Occasionally, we even observed several new builds a week, amounting to a new version on average every four days between February 2022 and June 2022.
The operator still has to interact manually with the compromised machine in order to steal a victim’s money. The malware allows the following actions:
• Blocking victims’ screens
• Logging keystrokes
• Simulating mouse and keyboard activity
• Sharing the victims’ screen(s)
• Displaying fake pop-up windows
“ESET automated systems have processed tens of thousands of Grandoreiro samples. The domain generation algorithm (DGA) that the malware has used since around October 2020 produces one main domain per day, and it is the only way Grandoreiro is able to establish connection to a C&C server. In addition to the current date, the DGA accepts a huge static configuration as well,” says ESET Researcher Jakub Souček, who coordinated the team that analysed Grandoreiro and other Latin American banking trojans. “Grandoreiro is similar to other Latin American banking trojans mainly via its obvious core functionality and in bundling its downloaders within MSI installers.”
Grandoreiro’s implementation of its network protocol allowed ESET researchers to take a peek behind the curtain and get a glimpse of the victims impacted. Grandoreiro’s C&C servers gave away information about victims connected at the time of the initial request made to each newly connected victim. By examining this data for more than a year, we can conclude that 66% were Windows 10 users, 13% Windows 7, 12% Windows 8, and 9% were Windows 11 users. Since Grandoreiro reports unreliable geographical distribution of its victims, we refer to ESET telemetry: Spain accounts for 65% of all victims, followed by Mexico with 14%, Brazil with 7%, and Argentina with 5%; the remaining 9% of victims are located in other Latin American countries. We also note that in 2023, we saw a significant decrease of Grandoreiro’s activity in Spain, compensated with increased campaigns in Mexico and Argentina.
For more technical information about Grandoreiro, check out the blog post “ESET takes part in global operation to disrupt the Grandoreiro banking trojan” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (currently known as X) for the latest news from ESET Research.