Banking malware alert: Kaspersky warns over ‘Grandoreiro Trojan’

Cybersecurity firm Kaspersky says it has identified a new, lighter version of the Grandoreiro banking trojan, a type of malware designed to steal banking information from infected devices.

Kaspersky’s Global Research and Analysis Team (GReAT) says this variant has targeted users in Mexico, focusing on approximately 30 financial institutions. Kaspersky will highlight the findings at the Security Analyst Summit (SAS) 2024.

Grandoreiro, active since 2016, remains one of the most widespread threats to financial institutions worldwide. In 2024 alone, it impacted users of more than 1,700 banks and 276 cryptocurrency wallets across 45 countries, recently adding Asia and Africa to its targets. Despite the arrests of key operators earlier this year, new Grandoreiro campaigns continue to emerge.

The newly detected version of Grandoreiro targets users in Mexico, which has recorded 51,000 incidents this year linked to the malware. Kaspersky suggests that only trusted affiliates have access to Grandoreiro’s source code, enabling them to develop these new, smaller versions to bypass security measures.

Data from Kaspersky indicates that Grandoreiro accounts for about five per cent of global banking trojan attacks in 2024. The malware uses techniques to evade detection, including simulating human-like mouse movements to deceive machine-learning security tools. In addition, the trojan now employs Ciphertext Stealing (CTS), a cryptographic method that hides its malicious code, making it harder to detect and analyse.

Fabio Assolini, head of GReAT for Latin America at Kaspersky, notes that these developments show how Grandoreiro continues to evolve. Unlike typical banking trojans, Grandoreiro is not sold as a ‘Malware-as-a-Service’ and does not appear on underground forums, making it accessible only to a limited group of trusted users.

“All the recent developments underscore the evolving nature of the threat. Fragmented and lighter versions may represent a trend that could extend beyond Mexico and into other regions, including beyond Latin America,” says Assolini.

“However, we believe that only some trusted affiliates have access to the malware source code to develop such lighter versions. Grandoreiro operates differently from the traditional ‘Malware-as-a-Service’ model we are accustomed to. You won’t find announcements on underground forums selling the Grandoreiro package; instead, access to it appears to be limited,” explains Assolini.