The nation’s internet police has alerted that 41 banking apps in Nigeria have been infected by the raging Grandoreiro banking malware that has hit over 1500 banks worldwide.
The Nigerian Cyber Emergency Response Team (ngCERT) alerted at the weekend that the Grandoreiro banking trojan, is a sophisticated malware operating as malware-as-a-service (MaaS) that has been known to cause several severe consequences including banking frauds, according to an urgent warning issued by the Nigerian cyber police.
Nigeria’s ngCERT, which is under the Office of National Security Adviser, led by Mallam Nuhu Ribadu, the National Security Adviser, “was established with a mission to manage the risks of cyber threats in the Nigeria’s cyberspace and effectively coordinate incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria,” according to the internet police.
The raging Grandoreiro banking trojan is keeping cybersecurity authorities on their toes after the malware has now targeted over 1,500 banks in over 60 countries, including Nigeria, and others across Africa, Central and South America, Europe, and the Indo-Pacific.
“Grandoreiro,” ngCERT warns in an advisory seen by Technology Times, “a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), is targeting more than 1,500 banks globally. According to reports, the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific.”
The Nigerian cyber police underscored the scale of the raging malware when it disclosed that “Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria.”
ngCERT did not reveal the identity of the banking applications in Nigeria that have been affected , but it warns network and system administrators and device users to put in place safeguards “to prevent likely attacks.”
According to ngCERT, “Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses.”
Nigeria’s ngCERT said a new variant of the Grandoreiro banking trojan now “includes significant changes such as string decryption and DGA calculations, allowing at least 12 different C2 domains per day.”
Grandoreiro extends its new attack chain by obtaining email addresses from affected hosts and delivering higher grades of phishing attempts through the Microsoft Outlook client.
“The Grandoreiro banking trojan is spread through large-scale phishing campaigns, where threat actors send emails impersonating government entities and financial institutions. These emails entice recipients to click on links to view documents or notices such as account statements, make payments, leading to the download of a ZIP file containing a loader executable. The loader is designed to evade antivirus detection by inflating its size and presenting a CAPTCHA to distinguish real users from automated systems,” ngCERT explained.
“Once executed, the loaders checks the environment to avoid sandboxes or unprotected Windows 7 machines and collects victim data such as computer and user names, operating system version, antivirus name, public IP address, and running processes. This information is encrypted and sent to a command and control (C2) server. The malware also checks for Microsoft Outlook clients, crypto wallets, and specific banking products,” according to the Nigerian cyber police.
To ensure persistence, ngCERT further said that “the malware modifies the Windows registry and uses a Domain Generation Algorithm (DGA) for C2 communication.”
After this is done, the malware “harvests email addresses from Outlook, sending further phishing emails from the victim’s account after disabling Outlook alerts. It avoids collecting certain email addresses like those with “noreply” or “newsletter” and scans victim folders for files with specific extensions to find more addresses. The malware sends spam emails based on templates from its C2 server, ensuring the emails are sent when the user is inactive for a certain period, and immediately deletes all the sent emails from the victim’s mailbox.
The ngCERT further underscored the severity of Grandoreiro when it warned that “besides its banking trojan capabilities, the malware allows cybercriminals to control the infected computer, perform keylogging, manage windows and processes, open a browser and execute Javascript, upload or download files, and send emails.”
When successfully installed, ngCERT said that the Grandoreiro banking malware, which can spread through infected victims inboxes through emails , compromises systems and banking applications leading to sensitive data exfoliation and risk of financial fraud on compromised systems. Not only that, compromised systems also risk invasion of privacy, identity theft, denial of service (DoS) attack.
Grandoreiro mitigation measures
To protect against this threat, ngCERT recommends the following steps for system administrators and users:
Avoid opening suspicious emails that prompt downloads or request sensitive information.
Verify the sender’s authenticity before clicking links or downloading attachments.
Only download software from official websites and direct download links.
Use official update functions provided by software developers to keep programs current.
Regularly scan systems with reputable antivirus or anti-spyware software and ensure this software is kept up to date.