Grandoreiro | |
Type of Malware | Banking Trojan |
Date of initial activity | 2016 |
Country of Origin | Latin America |
Targeted Countries | Traditionally Latin America, Spain and Portugal, and more recently Mexico and South Africa |
Motivation | Financial gain |
Attack Vectors | Spam seems to be the sole distribution method for Grandoreiro. The spam emails appear to contain a link pointing to a website offering fake Flash or Java updates |
Targeted System | Windows |
Tools | Grandoreiro banking trojan (primary malware) |
Variants | Win32/Spy.Grandoreiro.A |
Overview
Grandoreiro is a Latin American banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model.
Grandoreiro targets Brazil, Peru, and Mexico, and from 2019 Spain as well. While Spain was the most targeted country between 2020 and 2022, in 2023 researchers observed a clear switch of focus towards Mexico and Argentina, the latter being new to Grandoreiro.
Targets
The latest malware variant specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries including regions of Central and South America, Africa, Europe, and the Indo-Pacific
How they operate
Grandoreiro, a sophisticated piece of malware, operates with a well-defined methodology, showcasing its capability to compromise systems and evade detection effectively. Initially, Grandoreiro gains access to targeted systems through spearphishing links. This approach involves crafting highly convincing phishing emails containing malicious links, which, when clicked, execute the malware on the victim’s device. Once installed, Grandoreiro employs various execution techniques, such as using application programming interfaces (APIs) to carry out its malicious activities seamlessly within the victim’s environment.
After achieving execution, Grandoreiro focuses on maintaining persistence and elevating its privileges. It achieves persistence by manipulating registry run keys and startup folders to ensure its continued presence across system reboots. In terms of privilege escalation, Grandoreiro can bypass User Account Control (UAC), allowing it to operate with elevated permissions without alerting the user. This ensures that the malware can execute its tasks with greater authority, potentially accessing and altering critical system components.
To evade detection, Grandoreiro employs several defensive tactics. It utilizes binary padding to obfuscate its presence, making it harder for security tools to identify the malware. The malware also disables security software and modifies file and directory permissions to avoid detection and interference. Additionally, it uses various techniques to mask its activities, including disguising its processes and files to look like legitimate software, thus evading forensic scrutiny. Furthermore, Grandoreiro may deobfuscate or decode files to reveal their true nature only when needed, enhancing its ability to remain undetected.
In its discovery phase, Grandoreiro systematically explores the infected system to gather critical information. It identifies application windows, files, directories, and processes, as well as assesses security software to understand the environment better. This reconnaissance allows the malware to tailor its actions according to the system’s configuration and security measures.
For command and control, Grandoreiro uses domain generation algorithms (DGAs) to create a network of domains through which it can communicate with its operators. This method allows the malware to remain resilient against domain takedowns and continue its operations. Standard application layer protocols are also employed to blend in with regular network traffic, further concealing its activities.
Finally, Grandoreiro exfiltrates data by leveraging command and control channels, ensuring that the stolen information is sent back to its operators. This process allows the attackers to retrieve sensitive data without raising suspicion. Overall, Grandoreiro’s operation demonstrates a sophisticated understanding of evasion and persistence techniques, making it a formidable threat in the cybersecurity landscape.
MITRE tactics and techniques
Initial Access
T1192: Spearphishing Link
Execution
T1106: Execution through API
Persistence
T1060: Registry Run Keys / Startup Folder
Privilege Escalation
T1088: Bypass User Account Control
Defense Evasion
T1009: Binary Padding
T1089: Disabling Security Tools
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1036: Masquerading
Discovery
T1010: Application Window Discovery
T1083: File and Directory Discovery
T1057: Process Discovery
T1063: Security Software Discovery
T1082: System Information Discovery
Collection
T1056: Input Capture
Command and Control
T1483: Domain Generation Algorithms
T1071: Standard Application Layer Protocol
Exfiltration
T1041: Exfiltration Over Command and Control Channel
