Brazilian police make arrests in Grandoreiro banking malware case

Brazilian police said they disrupted the operation of a criminal group responsible for a banking fraud scheme suspected of robbing its victims of €3.6 million ($3.9 million) since 2019.

The criminals used banking malware called Grandoreiro to target victims in Brazil, Mexico and Spain, according to researchers at the Slovakia-based company ESET, who helped Brazilian law enforcement investigate the case.

The police said they executed five temporary arrest warrants and 13 search and seizure warrants on Tuesday in the states of São Paulo, Santa Catarina, Pará, Goiás and Mato Grosso.

The investigation into the Grandoreiro operation started with information provided by one of the gang's targets, Caixa Bank in Spain. They identified that the developers and operators of the malware were located in Brazil.

Grandoreiro’s operators have abused cloud providers such as Azure and AWS to host their network infrastructure, according to ESET. The researchers provided police with data that helped identify the accounts responsible for setting up these servers.

Grandoreiro is one of many Latin American banking trojans, which also include Mekotio and Vadokrist. The malware has been infecting Windows systems since at least 2017, according to ESET. Between 2020 and 2022, Spain was the group’s main target; however, in 2023, the hackers switched their focus towards Mexico and Argentina.

In 2021, Spanish police arrested 16 suspects on charges of laundering funds stolen through Mekotio and Grandoreiro. The suspects reportedly received more than €275,000 ($298,000) from bank accounts compromised with the help of the two malicious tools.

In the latest Grandoreiro attack, the hackers sent phishing emails disguised as court subpoenas or invoices to gain access to the victims’ devices, the police said.

Once inside the system, Grandoreiro malware can track keyboard inputs, simulate mouse activity, block and share the victim’s screen, and display fake pop-up windows.

The information that can be obtained from a Grandoreiro victim includes their username, device operating system, the time the infected computer has been running, screen resolution of the main monitor, as well as the bank code name.

The malware can detect web browser processes related to banking activities, such as when the victim visits a bank’s website. It then initiates communication with the criminals’ command and control (C2) servers.

The malware undergoes “rapid and constant development,” ESET said, with several new features appearing almost every week, making it difficult to keep track.

Previously, researchers claimed that Grandoreiro was the work of Brazilian cybercrime groups that rented access to their tools to other gangs responsible for distributing the trojan and laundering funds. ESET disputes that, stating that the Grandoreiro C2 server backend does not allow simultaneous activity of more than one operator at once.