Grandoreiro

Type of Malware

Banking Trojan

Date of initial activity

2016

Country of Origin

Latin America

Targeted Countries

Traditionally Latin America, Spain and Portugal, and more recently Mexico and South Africa

Motivation

Financial gain

Attack Vectors

Spam seems to be the sole distribution method for Grandoreiro. The spam emails appear to contain a link pointing to a website offering fake Flash or Java updates

Targeted System

Windows

Tools

Grandoreiro banking trojan (primary malware)
Grandoreiro downloader (used to download and install the main malware)
Grandoreiro spam tool (used to create and send spam emails for distribution)

Variants

Win32/Spy.Grandoreiro.A
Win32/Spy.Grandoreiro.AE
Win32/Spy.Grandoreiro.AJ
Win32/TrojanDownloader.Banload.YJR
Win32/TrojanDownloader.Banload.YLZ
Win32/TrojanDownloader.Banload.YJB
Win32/TrojanDownloader.Banload.YMI
Win32/Spy.Grandoreiro.AD

Overview

Grandoreiro is a Latin American banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro targets Brazil, Peru, and Mexico, and from 2019 Spain as well. While Spain was the most targeted country between 2020 and 2022, in 2023 researchers observed a clear switch of focus towards Mexico and Argentina, the latter being new to Grandoreiro.

Targets

The latest malware variant specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries including regions of Central and South America, Africa, Europe, and the Indo-Pacific

How they operate

Grandoreiro, a sophisticated piece of malware, operates with a well-defined methodology, showcasing its capability to compromise systems and evade detection effectively. Initially, Grandoreiro gains access to targeted systems through spearphishing links. This approach involves crafting highly convincing phishing emails containing malicious links, which, when clicked, execute the malware on the victim’s device. Once installed, Grandoreiro employs various execution techniques, such as using application programming interfaces (APIs) to carry out its malicious activities seamlessly within the victim’s environment. After achieving execution, Grandoreiro focuses on maintaining persistence and elevating its privileges. It achieves persistence by manipulating registry run keys and startup folders to ensure its continued presence across system reboots. In terms of privilege escalation, Grandoreiro can bypass User Account Control (UAC), allowing it to operate with elevated permissions without alerting the user. This ensures that the malware can execute its tasks with greater authority, potentially accessing and altering critical system components. To evade detection, Grandoreiro employs several defensive tactics. It utilizes binary padding to obfuscate its presence, making it harder for security tools to identify the malware. The malware also disables security software and modifies file and directory permissions to avoid detection and interference. Additionally, it uses various techniques to mask its activities, including disguising its processes and files to look like legitimate software, thus evading forensic scrutiny. Furthermore, Grandoreiro may deobfuscate or decode files to reveal their true nature only when needed, enhancing its ability to remain undetected. In its discovery phase, Grandoreiro systematically explores the infected system to gather critical information. It identifies application windows, files, directories, and processes, as well as assesses security software to understand the environment better. This reconnaissance allows the malware to tailor its actions according to the system’s configuration and security measures. For command and control, Grandoreiro uses domain generation algorithms (DGAs) to create a network of domains through which it can communicate with its operators. This method allows the malware to remain resilient against domain takedowns and continue its operations. Standard application layer protocols are also employed to blend in with regular network traffic, further concealing its activities. Finally, Grandoreiro exfiltrates data by leveraging command and control channels, ensuring that the stolen information is sent back to its operators. This process allows the attackers to retrieve sensitive data without raising suspicion. Overall, Grandoreiro’s operation demonstrates a sophisticated understanding of evasion and persistence techniques, making it a formidable threat in the cybersecurity landscape.

MITRE tactics and techniques

Initial Access T1192: Spearphishing Link Execution T1106: Execution through API Persistence T1060: Registry Run Keys / Startup Folder Privilege Escalation T1088: Bypass User Account Control Defense Evasion T1009: Binary Padding T1089: Disabling Security Tools T1140: Deobfuscate/Decode Files or Information T1222: File and Directory Permissions Modification T1036: Masquerading Discovery T1010: Application Window Discovery T1083: File and Directory Discovery T1057: Process Discovery T1063: Security Software Discovery T1082: System Information Discovery Collection T1056: Input Capture Command and Control T1483: Domain Generation Algorithms T1071: Standard Application Layer Protocol Exfiltration T1041: Exfiltration Over Command and Control Channel

References:

• Grandoreiro: How engorged can an EXE get?

• ESET takes part in global operation to disrupt the Grandoreiro banking trojan

• Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

The post Grandoreiro (Banking Trojan) – Malware first appeared on CyberMaterial.