The international organization arrested, in Brazil, five members of the gang that used phishing to steal data and clean bank accounts
Trend Micro, a world leader in cybersecurity solutions, collaborated with Interpol in the operation that resulted in the arrest of five Brazilian programmers and operators of the Grandoreiro banking trojan. The international organization's Cybercrime Unit took action after being called by the Brazilian and Spanish federal police. Court orders to seize and block assets and valuables were also complied with with the aim of decapitalizing the criminal structure and recovering assets.
Grandoreiro first appeared in 2018 and is introduced via phishing emails containing malicious attachments or links, which impersonate legitimate organizations such as banks or financial institutions to trick users into downloading or running the malware. Once installed on the system, Grandoreiro works like a typical banking trojan, actively monitoring the foreground window and web browser processes related to banking activities with the aim of stealing credentials. When there is a match, it starts communicating with your Command and Control (C&C) servers.
With total control, criminals clean the victims' bank accounts, diverting the stolen resources to a network of “oranges” that launders the money before transferring it to Brazil. It is estimated that the group embezzled more than 3.5 million euros. However, according to the Spanish bank Caixa Bank, the loss could have reached 110 million euros if the gang had not been defeated. The financial institution was responsible for identifying that the operators of the banking trojan were in Brazil.
During the investigation, Trend Micro discovered that Grandoreiro used domain generation algorithms (DGAs) for its C&C communications. To get more information, Trend pulled all possible domains from the list of strings and subdomains found in multiple samples. As a result, more than 4 thousand DGAs were generated, providing valuable information for locating the C&C servers used by the gang.
Threat intelligence data from January to April 2023 reveals that Argentina had the highest number of Grandoreiro-related detections, with 1,118 records, followed by Turkey with 322 detections and Mexico with 265 cases.
Cooperation with Interpol
Trend Micro has not been cooperating with international authorities for a long time now. Partnering with law enforcement agencies and the private sector provides security organizations and industry experts with the opportunity to share knowledge and resources to improve the cybercrime-fighting arsenal to effectively dismantle malicious groups .
Trend Micro's recent cooperation actions with Interpol have resulted in successful crackdowns in recent years, such as the dismantling of the hacker gang specializing in Phishing as a Service (PaaS) scams; in the operation called “African Cyber Surge I and II”, in 2022 and 2023; in Operation Killer Bee, carried out in collaboration with authorities from 11 countries in South Asia, and also in the capture of gang members REvil and Cl0p, as part of Operation Cyclone, in 2021.
EN 
PT 
