Threat Research

“Grandoreiro: The Ambitious Global Trojan”

SecureList

Grandoreiro is a Brazilian banking trojan active since 2016, evolving to target thousands of banks and crypto wallets globally. Despite law enforcement efforts, the group continues expanding with new techniques, encryption, and infrastructure to evade detection. #Grandoreiro #Tetrade #INTERPOL #Kaspersky #Trustwave

Keypoints

  • Origin: Brazilian banking trojan active since 2016.
  • Global Reach: Targets 1,700 banks and 276 crypto wallets in 45 countries.
  • Fraudulent Activities: Estimated fraudulent profits of 3.5 million euros in Spain alone.
  • Evolution: Regularly updates techniques to evade detection, including the use of DGAs and advanced encryption methods.
  • Malware-as-a-Service: Operates differently from typical malware, with limited access to its source code.
  • Infection Methods: Utilizes phishing emails and malvertising to deliver malware.
  • Anti-Detection Techniques: Employs various checks to avoid detection by security tools and sandboxes.
  • Remote Access: Allows operators to control victim machines and perform fraudulent transactions.
  • Collaboration: Kaspersky collaborates with INTERPOL and law enforcement to combat Grandoreiro.

MITRE Techniques

  • [T1003] Credential Dumping – Monitors user activity and steals credentials from financial institution websites. “Procedure: Monitors user activity and steals credentials from financial institution websites.”
  • [T1219] Remote Access Tools – Uses a Delphi-based tool for remote access to victim machines. “Procedure: Uses a Delphi-based tool for remote access to victim machines.”
  • [T1566] Phishing – Distributes phishing emails to lure victims into downloading malware. “Procedure: Distributes phishing emails to lure victims into downloading malware.”
  • [T1210] Exploitation of Remote Services – Utilizes legitimate services to execute malicious commands on victim machines. “Procedure: Utilizes legitimate services to execute malicious commands on victim machines.”
  • [T1486] Data Encrypted for Impact – Utilizes advanced encryption techniques to obfuscate malicious payloads. “Procedure: Utilizes advanced encryption techniques to obfuscate malicious payloads.”

Indicators of Compromise

  • [Host-based] – f0243296c6988a3bce24f95035ab4885, dd2ea25752751c8fb44da2b23daf24a4, and 2 more hashes

Read more: https://securelist.com/grandoreiro-banking-trojan/114257/