Trend Micro Collaborated with Interpol in Cracking Down Grandoreiro Banking Trojan

Last April 2023, the International Criminal Police Organization (Interpol) requested any indicators of compromise (IOCs) or information related to the banking trojan Grandoreiro, specifically for command-and-control (C&C) servers. Grandoreiro has evolved with new features and capabilities since it first appeared around 2018, and has been primarily targeting users in Latin America and Europe. Trend Micro was one of the partners involved in Interpol's operation to help Brazilian and Spanish law enforcement agencies (LEAs) analyze Grandoreiro malware samples as part of their national cybercrime investigations. The Interpol-coordinated operation resulted in the arrest of five administrators behind a Grandoreiro operation, as announced by the Brazilian authorities.

Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These emails often impersonate legitimate organizations, such as banks or financial institutions, to trick users into downloading and executing the malware. Once installed on a victim's system, Grandoreiro operates as a typical banking trojan, aiming to steal sensitive financial information. Over time, Grandoreiro has undergone various updates and modifications, enhancing its evasion techniques and obfuscation methods to evade detection by antivirus software and security measures.

Trend's Contributions

Here's the summary of Trend's contributions to the operation:

• Trend threat intelligence data from January to April 2023 showed that Argentina recorded the highest number of detections related to Grandoreiro with 1,118 detections, followed by Turkey with 322 detections, and Mexico with 265 detections (Figure 1).