Kaspersky Unveils New Grandoreiro Banking Trojan Targeting Mexico as Global Threat Expands

Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new, lighter version of the Grandoreiro banking trojan, primarily targeting around 30 banks in Mexico. Despite key operators' arrests earlier this year, the trojan continues to pose a significant threat globally, accounting for 5% of banking trojan attacks in 2024. The findings will be presented at the Security Analyst Summit (SAS) 2024 in Bali.

Grandoreiro, first detected in 2016, remains one of the most dangerous financial cyber threats. Its variants have targeted over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries, with recent attacks expanding to Asia and Africa. Notably, countries such as Nigeria, Kenya, South Africa, and Ghana have seen incidents involving the malware.

A notable aspect of the malware’s evolution is its fragmentation into lighter, harder-to-detect versions. Kaspersky experts believe access to the source code is limited to trusted affiliates rather than widely distributed through typical "Malware-as-a-Service" models. The new light version, found in Mexico, showcases the group’s ability to adapt and persist despite setbacks.

This variant not only evades detection by replaying natural user behaviours like mouse movements but also employs an encryption technique known as Ciphertext Stealing (CTS) – a first in malware use – to hide malicious code. These advancements make the detection and analysis of malware more difficult.

Fabio Assolini, head of Latin America’s GReAT at Kaspersky, emphasized that the development of lighter versions may represent a broader trend that could affect regions beyond Latin America.

To mitigate these threats, Kaspersky advises institutions to implement strict cybersecurity measures such as a Default Deny policy for critical user profiles, staff training on phishing detection, and the use of advanced protection solutions. Individuals are also urged to be cautious with unfamiliar links, use reliable security software, and ensure all applications are from trusted sources.

Further analysis and insights will be shared at Kaspersky’s sixteenth Security Analyst Summit, taking place from October 22-25, 2024, in Bali.