Priya Patel
TLDR:
Brazilian police have arrested suspects involved in a banking fraud scheme using the Grandoreiro banking malware. The criminals targeted victims in Brazil, Mexico, and Spain, and are suspected of robbing €3.6 million since 2019. The investigation began with information from Caixa Bank in Spain, which identified that the malware developers and operators were located in Brazil. Researchers at ESET, a Slovakia-based company, provided data to help Brazilian law enforcement locate the accounts responsible for hosting the malware’s network infrastructure. Grandoreiro is one of several Latin American banking trojans and has been infecting Windows systems since at least 2017. The malware allows hackers to track keystrokes, simulate mouse activity, block and share screens, and display fake pop-up windows. Previous reports suggested that Grandoreiro was the work of Brazilian cybercrime groups, but ESET disputes this claim.
Brazilian police have disrupted a criminal group using the Grandoreiro banking malware to carry out a banking fraud scheme. The group is suspected of robbing victims of €3.6 million ($3.9 million) since 2019. The malware was used to target victims in Brazil, Mexico, and Spain. Researchers from ESET assisted Brazilian law enforcement in the investigation, which began with information provided by Caixa Bank in Spain. The police executed multiple arrest and search warrants across different states in Brazil. ESET researchers found that the malware’s operators had used cloud providers like Azure and AWS to host their network infrastructure.
The Grandoreiro malware has been infecting Windows systems since at least 2017, according to ESET. Its operators have focused on different countries over the years, with Spain being targeted between 2020 and 2022, and Mexico and Argentina becoming the main focus in 2023. In a recent attack, the hackers sent phishing emails disguised as court subpoenas or invoices to gain access to victims’ devices. Once inside, the malware can track keyboard inputs, simulate mouse activity, block and share screens, and display fake pop-up windows. The information obtained by the malware includes usernames, operating systems, screen resolution, and bank codes.
There have been previous claims that Grandoreiro was the work of Brazilian cybercrime groups that rented out access to other criminal gangs. However, ESET disputes this, as the malware’s server backend does not allow simultaneous activity from multiple operators. The malware is constantly evolving, with new features being added almost every week, making it difficult to track and combat.
