ESET takes part in global operation to disrupt the Grandoreiro banking trojan

Keypoints

ESET tracked Grandoreiro long-term, extracting 105 DGA configurations (dga_ids) and processing tens of thousands of samples to map C&C infrastructure.
Grandoreiro relies solely on a DGA (with optional failsafe domains) to locate C&C servers; many generated domains use No‑IP DDNS and cloud providers (AWS, Azure, OVH).
A design flaw in Grandoreiro’s RTC-based network protocol allowed ESET to query C&C servers and collect victim metadata via the login_string (OS, computer name, country, bank codename, version, etc.).
ESET observed frequent IP overlaps across different DGA configurations, indicating shared infrastructure and enabling clustering of C&C servers that aided attribution and takedown actions.
Grandoreiro uses RTC Portal (HTTP(S)-based) with a secret key/key-length handshake and a custom stream cipher; separate inbound/outbound keys are negotiated during handshake.
Operators abused cloud hosting and DDNS for rapid domain/IP changes; ESET’s telemetry identified the accounts provisioning infrastructure, assisting law enforcement to seize servers and make arrests.
IOCs published include sample SHA-1 hashes, MSI downloader and DLL filenames, and numerous DGA-generated IP addresses hosted on Azure, AWS, OVH, and other providers.

MITRE Techniques

[T1587.001] Develop Capabilities: Malware – Grandoreiro developers develop their own custom downloaders. (‘Grandoreiro developers develop their own custom downloaders.’)
[T1566] Phishing – Grandoreiro spreads through phishing emails. (‘Grandoreiro spreads through phishing emails.’)
[T1204.002] User Execution: Malicious File – Grandoreiro pressures victims to manually execute the phishing attachment. (‘Grandoreiro pressures victims to manually execute the phishing attachment.’)
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Grandoreiro uses the standard Autostart locations for persistence. (‘Grandoreiro uses the standard Autostart locations for persistence.’)
[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Grandoreiro is executed by compromising the DLL search order. (‘Grandoreiro is executed by compromising the DLL search order.’)
[T1140] Deobfuscate/Decode Files or Information – Grandoreiro is often distributed in password-protected ZIP archives. (‘Grandoreiro is often distributed in password-protected ZIP archives.’)
[T1027.001] Obfuscated Files or Information: Binary Padding – Grandoreiro EXEs used to have enlarged .rsrc sections with large BMP images. (‘Grandoreiro EXEs used to have enlarged .rsrc sections with large BMP images.’)
[T1218.007] System Binary Proxy Execution: Msiexec – Grandoreiro downloaders are bundled inside MSI installers. (‘Grandoreiro downloaders are bundled inside MSI installers.’)
[T1112] Modify Registry – Grandoreiro stores part of its configuration data in the Windows registry. (‘Grandoreiro stores part of its configuration data in the Windows registry.’)
[T1010] Application Window Discovery – Grandoreiro discovers online banking websites based on window names. (‘Grandoreiro discovers online banking websites based on window names.’)
[T1057] Process Discovery – Grandoreiro discovers security tools based on process names. (‘Grandoreiro discovers security tools based on process names.’)
[T1518.001] Software Discovery: Security Software Discovery – Grandoreiro detects the presence of banking protection products. (‘Grandoreiro detects the presence of banking protection products.’)
[T1082] System Information Discovery – Grandoreiro collects information about the victim’s machine, such as %COMPUTERNAME% and operating system. (‘Grandoreiro collects information about the victim’s machine, such as %COMPUTERNAME% and operating system.’)
[T1056.002] Input Capture: GUI Input Capture – Grandoreiro can display fake pop-ups and capture text typed into them. (‘Grandoreiro can display fake pop-ups and capture text typed into them.’)
[T1056.001] Input Capture: Keylogging – Grandoreiro is capable of capturing keystrokes. (‘Grandoreiro is capable of capturing keystrokes.’)
[T1114.001] Email Collection: Local Email Collection – Grandoreiro’s operators developed a tool to extract email addresses from Outlook. (‘Grandoreiro’s operators developed a tool to extract email addresses from Outlook.’)
[T1132.002] Data Encoding: Non-Standard Encoding – Grandoreiro uses RTC, which encrypts data with a custom stream cipher. (‘Grandoreiro uses RTC, which encrypts data with a custom stream cipher.’)
[T1568.002] Dynamic Resolution: Domain Generation Algorithms – Grandoreiro relies solely on DGA to obtain C&C server addresses. (‘Grandoreiro relies solely on DGA to obtain C&C server addresses.’)
[T1573.001] Encrypted Channel: Symmetric Cryptography – In RTC, encryption and decryption are done using the same key. (‘In RTC, encryption and decryption are done using the same key.’)
[T1571] Non-Standard Port – Grandoreiro often uses non-standard ports for distribution. (‘Grandoreiro often uses non-standard ports for distribution.’)
[T1071] Application Layer Protocol – RTC is built on top of HTTP(S). (‘RTC is built on top of HTTP(S).’)
[T1041] Exfiltration Over C2 Channel – Grandoreiro exfiltrates data to its C&C server. (‘Grandoreiro exfiltrates data to its C&C server.’)
[T1529] System Shutdown/Reboot – Grandoreiro can force a system reboot. (‘Grandoreiro can force a system reboot.’)

Indicators of Compromise

[File Hashes] sample identification – FB32344292AB36080F2D040294F17D39F8B4F3A8, 08C7453BD36DE1B9E0D921D45AEF6D393659FDF5, and 2 more hashes
[Filenames] payloads and loaders – Notif.FEL.RHKVYIIPFVBCGQJPOQÃ.msi, RYCB79H7B-7DVH76Y3-67DVHC6T20-CH377DFHVO-6264704.msi, pcre.dll, iconv.dll
[IP addresses] C&C and distribution servers – 20.237.166[.]161 (Azure C&C), 18.215.238[.]53 (AWS C&C), and additional DGA-resolved IPs
[Domains / DDNS] DGA and hosting services – base domains freedynamicdns.org, zapto.org (No‑IP/DDNS) and multiple DGA-generated subdomains (various)

ESET’s technical procedure combined large-scale telemetry with targeted C&C queries to map Grandoreiro’s infrastructure and extract actionable artefacts. Automated systems processed tens of thousands of samples to enumerate 105 distinct DGA configurations (dga_id values) and reproduce the DGA logic: selecting a per-month/per-day 4‑byte key from the dga_table, XOR‑encrypting a formatted date, prefixing the dga_id, applying a custom base64 alphabet (or prepending a hardcoded prefix in newer builds), and removing padding to form the daily subdomain. Some builds include a failsafe mechanism that derives alternate domains from parts of the main subdomain and a small failsafe table; ESET reimplemented both algorithms to predict daily DGA outputs and track active C&C records.

From C&C interactions, ESET exploited a protocol behavior that discloses a login_string for each connected host; this string contains OS, computer name, hardcoded target country, version_string (build ID and timestamp), and often a bank codename. By querying RTC-based Gateways (which require a secret key, key length, and unique login) and observing login_string formats, researchers enumerated victim metadata, measured active/unique victims, and identified IP overlaps where different dga_ids resolved to the same cloud-hosted IP—evidence of shared or load-balanced infrastructure.

Combining predicted DGA outputs, DNS/IP resolution history, and cloud account traces for servers (mostly on Azure, AWS and other providers) allowed ESET to attribute and provide specific hosting account indicators to law enforcement. The team’s findings on DGA configurations, RTC handshake parameters (secret key and key length), custom stream cipher usage, and published IOCs directly supported the Federal Police of Brazil’s disruption operation and subsequent arrests.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print