Kaspersky uncovers malware targeting 45 countries, 1,700 Banks

Despite the early 2024 arrests of key Grandoreiro operators, the banking trojan continues to launch global campaigns, now through a newly identified, lighter version targeting Mexico.

Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered that this streamlined strain targets approximately 30 Mexican banks, demonstrating the group’s resilience and adaptability despite recent setbacks.

Since its emergence in 2016, Grandoreiro has become a formidable threat to over 1,700 banks and nearly 300 cryptocurrency wallets across 45 countries, with significant penetration in Asia and Africa.

Recent data reveals Mexico as one of its most severely impacted nations, where over 51,000 Grandoreiro-related incidents have been recorded this year alone.

This new, slimmed-down version allows Grandoreiro to remain active, comprising about five percent of global banking trojan attacks in 2024, marking it as one of the most pervasive threats in the cybersecurity landscape.

In a coordinated effort, INTERPOL, with assistance from Kaspersky, facilitated the capture of Grandoreiro’s Brazilian operators earlier this year. Despite these arrests, Kaspersky’s researchers found that the group’s source code has been divided into smaller, flexible versions, making it easier to target specific regions and evade detection.

READ ALSO: Hackers alert! Google issues warning to Chrome users over

“This fragmented approach, where Grandoreiro is available only to a trusted circle of affiliates, diverges from the typical ‘Malware-as-a-Service’ model. Access to the trojan remains exclusive and tightly controlled, preventing wide-scale resale on underground forums,” said Fabio Assolini, Kaspersky’s Head of Latin American Research.

Among its new evasion tactics, Grandoreiro now records users’ mouse activities to imitate real human behavior, bypassing machine learning-based security algorithms designed to spot fraudulent activity.

By mimicking authentic user actions, the malware avoids detection by anti-fraud systems. Additionally, the latest Grandoreiro variants use Ciphertext Stealing (CTS), a sophisticated cryptographic method that obscures malicious code strings, making detection even harder for cybersecurity tools.

This resilience has extended Grandoreiro’s reach to over 276 cryptocurrency wallets and banks, threatening financial institutions across 45 countries, including African nations like Nigeria, Kenya, South Africa, and Ethiopia. Kaspersky’s analysis indicates that the malware may continue spreading through Latin America and beyond, potentially influencing banking security tactics worldwide.

As the threat landscape evolves, Kaspersky emphasizes the need for adaptive countermeasures in banks and other financial institutions to tackle the ever-changing tactics of malware operators.