Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

The Grandoreiro banking trojan, targeting over 1,500 banks globally, has reemerged since a law enforcement takedown in January 2024. This resurgence involves sophisticated phishing attacks across more than 60 countries, facilitated by a malware-as-a-service model. The malware has been updated significantly, featuring enhanced encryption and a new domain generating algorithm.

The trojan initiates attacks through phishing emails, leading victims to download a loader that evades anti-malware scans and checks for sandbox environments. Once installed, Grandoreiro establishes persistence in the system, connects to a command-and-control server, and can manipulate files and data. A notable addition is its ability to integrate with Microsoft Outlook to further disseminate phishing emails, exploiting the local client to avoid triggering security alerts.