ESET Research joins global operation to disrupt the Grandoreiro banking trojan operating in Latin America and Spain

Next story
  • ESET worked alongside the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet.
  • ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses.
  • This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy.
  • Further investigation performed by the Federal Police of Brazil led to the identification and arrest of the individuals in control of the botnet.
  • Grandoreiro has been active since at least 2017.
  • Grandoreiro targets Brazil, Mexico, Spain, and Argentina.
  • Grandoreiro can block a victim’s screen, log keystrokes, simulate mouse and keyboard activity, share the victim’s screen, and display fake pop-up windows.

ESET collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.

This disruption operation was aimed at individuals who are believed to be high up in Grandoreiro’s operational hierarchy. The investigation by the Federal Police of Brazil led to multiple arrests. ESET researchers provided data crucial to identifying the accounts responsible for setting up and connecting to the Grandoreiro C&C servers.

Grandoreiro is one of many Latin American banking trojans. It has been active since at least 2017, and ESET researchers have been closely tracking it since then. Grandoreiro targets Brazil, Mexico, Spain, and, since 2023, Argentina.

Functionality-wise, Grandoreiro hasn’t changed very much since the last ESET Research blog post about the group in 2020. Despite that, Grandoreiro has been undergoing rapid and constant development. Occasionally, we even observed several new builds a week; for example, this has amounted to a new version on average every four days between February 2022 and June 2022.

The operator still has to interact manually with the compromised machine in order to steal a victim’s money. The malware allows the following actions:

  • Blocking victims’ screens
  • Logging keystrokes
  • Simulating mouse and keyboard activity
  • Sharing the victims’ screen(s)
  • Displaying fake pop-up windows

“ESET automated systems have processed tens of thousands of Grandoreiro samples. The domain generation algorithm (DGA) that the malware has used since around October 2020 produces one main domain per day, and it is the only way Grandoreiro is able to establish connection to a C&C server. Beside the current date, the DGA accepts a huge static configuration as well,” says ESET Researcher Jakub Souček, who coordinated the team that analyzed Grandoreiro and other Latin American banking trojans. “Grandoreiro is similar to other Latin American banking trojans mainly via its obvious core functionality and in bundling its downloaders within MSI installers.”

Grandoreiro’s implementation of its network protocol allowed ESET researchers to take a peek behind the curtain and get a glimpse of the victimology. Grandoreiro’s C&C servers give away information about victims connected at the time of the initial request made to each newly connected victim. By examining this data for more than a year, we conclude that 66% were Windows 10 users, 13% used Windows 7, Windows 8 represented 12%, and 9% were Windows 11 users. Since Grandoreiro reports unreliable geographical distribution of its victims, we refer to ESET telemetry: Spain accounts for 65% of all victims, followed by Mexico with 14%, Brazil with 7%, and Argentina with 5%; the remaining 9% of victims are located in other Latin American countries. We also note that in 2023, we saw a significant decrease of Grandoreiro’s activity in Spain, compensated with increased campaigns in Mexico and Argentina.

For more technical information about Grandoreiro, check out the blog post “ESET takes part in global operation to disrupt the Grandoreiro banking trojan” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (currently known as X) for the latest news from ESET Research.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedInFacebook, and X.