The Federal Police of Brazil announced it has disrupted the operation of a cybercriminal gang behind a massive banking fraud scheme that has netted at least €3.6 million ($3.9 million) since 2019.
The scheme involved banking malware called ‘Grandoreiro’ used to target victims in Brazil, Mexico, Spain and Peru. It is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model.
Grandoreiro is able to both steal data via keyloggers and screen-grabbers as well as steal bank login information from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. The trojan is typically delivered via spam emails with various lures such as shared documents, Nota Fiscal Electronicos (NF-e, a tax form required to be used by organizations in Brazil), and utility bills.
After a victim clicks on the link, a zip file is downloaded containing an MSI, HTA or exe file. When executed, the malicious file will add malicious behavior to an otherwise legitimate program via DLL injection, which ultimately will result in the download of the Grandoreiro malware.
The Brasilian police said it served five temporary arrest warrants and carried out 13 searches in the states of São Paulo, Santa Catarina, Pará, Goiás and Mato Grosso, seizing assets and valuables.
The investigation into the Grandoreiro operation began following a report from Spain-based Caixa Bank, which identified that the programmers and operators of the banking malware were in Brazil. The criminals used cloud servers to host the infrastructure used in the Grandoreiro malware campaigns.
“According to Caixa Bank, in addition to the damage caused, it was identified that there were fraud attempts using Brazilian banking malware that would amount to €110 million in losses,” the police said.
Slovak company ESET, which helped Brazilian law enforcement investigate the case, was able to get a glimpse of the victimology by taking advantage of Grandoreiro's implementation of its network protocol.
“Grandoreiro's C&C servers give away information about victims connected at the time of the initial request made to each newly connected victim,” the researchers wrote.
An analysis showed that 66% of victims were Windows 10 users, 13% used Windows 7, Windows 8 represented 12%, and 9% were Windows 11 users. In terms of geographical distribution, Spain accounted for 65% of all victims, followed by Mexico with 14%, Brazil with 7%, and Argentina with 5%. The remaining 9% of victims are located in other Latin American countries.