Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new, lighter variant of the Grandoreiro banking trojan, which has now expanded its operations to include targets in Asia and Africa.
Despite law enforcement efforts, including a major INTERPOL-coordinated arrest of key operators earlier this year, the malware continues to pose a global financial threat.
This new variant is part of a fragmented version of the original Grandoreiro trojan, with attacks aimed at financial institutions in over 45 countries. As of 2024, the threat targets more than 1,700 financial institutions and 276 cryptocurrency wallets, with the latest additions being regions in Asia and Africa, including countries such as South Africa, Nigeria, Kenya, and Ghana.
Mexico remains a major hotspot for the trojan’s activity, with over 51,000 recorded incidents this year, and approximately 30 Mexican banks targeted by the new light version. Grandoreiro variants now account for about 5% of global banking trojan attacks, making it one of the most active financial malware threats in 2024.
According to Kaspersky, Grandoreiro’s code has been split into smaller, more lightweight versions, allowing its operators to continue their malicious campaigns. Fabio Assolini, head of Kaspersky’s Latin American GReAT, explains, “These fragmented versions represent a growing trend, and we expect them to reach beyond Latin America. Unlike traditional Malware-as-a-Service models, Grandoreiro is more exclusive, limiting access to trusted affiliates.”
ALSO READ: EMBRACE JOINS AWS ISV ACCELERATE PROGRAM, EXPANDS MOBILE OBSERVABILITY SOLUTIONS
In addition to evolving its structure, the Grandoreiro trojan has adopted advanced techniques to avoid detection. The malware simulates natural mouse movements to deceive anti-fraud systems and has introduced a cryptographic method known as Ciphertext Stealing (CTS) to encrypt malicious code, making it harder for security tools to detect.
Kaspersky’s experts recommend that organizations, particularly those in financial sectors, adopt a “Default Deny” policy to limit access to critical systems and train employees on identifying phishing threats. For individual users, Kaspersky advises caution when opening suspicious emails or links and recommends using trusted security solutions, such as Kaspersky Premium, to safeguard digital assets.
As the global threat of Grandoreiro continues to evolve, Kaspersky will share further insights at the Security Analyst Summit (SAS) 2024.
