African banks vulnerable to global cyber threat

Kaspersky, a leading global cybersecurity and digital privacy firm, has issued a warning about the Grandoreiro banking trojan, a growing threat worldwide 

Active since 2016, Grandoreiro has targeted over 1,700 financial institutions and 276 cryptocurrency wallets across 45 countries just this year. This accounts for about 5% of the year’s total banking Trojan attacks. Adding to the concern, a newly discovered "light version" of the malware has already affected around 30 banks in Mexico.

Several African nations, including Algeria, Angola, Ethiopia, Ghana, Côte d'Ivoire, Kenya, Mozambique, Nigeria, South Africa, Tanzania, and Uganda, have also fallen victim to Grandoreiro's attacks.

An evolving cyber threat

Following an INTERPOL-led operation that helped Brazilian authorities arrest some operators behind the Grandoreiro banking trojan, Kaspersky discovered that the malware’s codebase has been split into lighter, more fragmented variants to continue their activities. This fragmentation has contributed to the rise of financial institution attacks in Mexico this year. The creators of the malware likely retain access to its source code and are now launching new campaigns using this simplified legacy version.

“These recent developments highlight the dynamic nature of the threat. The emergence of these lighter versions could signal a trend that might expand beyond Mexico, potentially spreading to other regions, including outside Latin America,” said Fabio Assolini, head of Kaspersky’s Latin American Global Research and Analysis Team (GReAT). “However, it appears that only a select group of trusted affiliates have access to the source code, which allows them to develop such lighter variants. Grandoreiro operates differently from the typical ‘Malware-as-a-Service’ model; it isn’t advertised in underground forums, and access to it seems highly restricted.”

Multiple Grandoreiro variants, including the light version and the main malware, are now responsible for a significant portion of global banking trojan attacks, making it one of the most prevalent cybersecurity threats today, according to Kaspersky.

After analysing new Grandoreiro samples from 2024, Kaspersky observed fresh tactics aimed at evading detection. The malware now tracks mouse activity to replicate real user behavior, fooling machine-learning security systems into treating the activity as legitimate. By imitating natural mouse movements, Grandoreiro attempts to bypass anti-fraud tools.

Moreover, Grandoreiro has employed a cryptographic method called Ciphertext Stealing (CTS), which Kaspersky reports as a first in the malware world. This technique is used to encrypt malicious code strings, enhancing its stealth.

To combat financial malware like Grandoreiro, Kaspersky's security experts recommend several key measures for organisations, including enforcing a Default Deny policy for critical user profiles, providing employees with cybersecurity awareness training, and deploying protection solutions for mail servers with anti-phishing capabilities, such as Kaspersky Security for Mail Server.

For individuals, Kaspersky advises staying vigilant—avoid opening suspicious messages, only install apps from trusted sources, and never grant permissions or rights without confirming they align with the app's functionality. Additionally, using a reliable security solution like Kaspersky Premium is essential for protection.