At the Security Analyst Summit (SAS) 2024, Kaspersky's Global Research and Analysis Team (GReAT) revealed a remarkable discovery: A Lite version of the Grandoreiro malware is targeting around 30 banks in Mexico.
Grandoreiro is currently one of the top threats in the banking security space, having targeted more than 1,700 banks and accounting for 5% of all banking trojan attacks globally this year.
Mexico is one of the hardest hit countries, with over 51,000 attacks involving Grandoreiro variants, including the aforementioned Lite version.
According to cybersecurity experts, cybercriminals have split Grandoreiro's source code into lightweight trojan versions (malware disguised as useful software or applications) to deploy new attack campaigns.
“When you look at all the malware that has been developed recently, it is not difficult to see that the threat landscape is becoming increasingly complex. The lightweight versions could signal a trend of attacks spreading outside of Latin America,” explains Fabio Assolini, head of Kaspersky’s Global Research and Analysis Team (GReAT) for Latin America.
Different variants of Grandoreiro, including the original malware and the lite version, accounted for about 5% of global banking attacks using the trojan detected by Kaspersky in 2024. This shows that Grandoreiro variants have become one of the most powerful threats worldwide.
Since 2024, Kaspersky has also analyzed new variants of the Grandoreiro malware and discovered that criminals are applying many new attack tactics.
For example, malware will record computer mouse activity to simulate real user behavior patterns, in order to bypass security systems based on machine learning to analyze behavior.
By simulating natural movements similar to a real user swiping a computer mouse, malware can “trick” anti-phishing tools and detect unusual behavior in the system.
Additionally, Grandoreiro uses an encryption technique that cybersecurity experts have never encountered in previous malware, making it difficult to detect and analyze cyber attacks.
According to data from Kaspersky, the Grandoreiro malware has been active since 2016.
By 2024, the threat had targeted more than 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries and territories.
Most recently, Asia and Africa have been added to Grandoreiro's target list; Grandoreiro has truly become a global financial threat.
