Despite a takedown in January, the Grandoreiro Banking Trojan has resurfaced with improved encryption and domain name generation, spreading through phishing campaigns targeting over 1,500 banks globally. The new campaigns feature updated techniques, such as using Microsoft Outlook clients to propagate phishing emails, and have expanded beyond Latin America to countries like Spain, Japan, Netherlands, and Italy. The Trojan's comeback followed the arrest of five individuals linked to its development and deployment, with recent campaigns impersonating government entities to trick users into downloading malicious attachments
The malware employs sophisticated string decryption and domain generation algorithms, targeting various banking applications worldwide and establishing persistence through Windows registry keys. The resurgence of Grandoreiro signals a strategic shift in its reach, indicating a concerted effort to evade law enforcement actions and expand its financial fraud operations globally. https://www.bankinfosecurity.com/grandoreiro-banking-trojan-reappears-after-january-takedown-a-25273