Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

MITRE Techniques

• [T1566.001] Spear Phishing Attachment – The initial attack vector involves phishing emails impersonating reputable organizations to distribute malicious attachments, tricking users into downloading the Grandoreiro banking trojan. ‘The initial attack vector involves phishing emails impersonating reputable organizations to distribute malicious attachments, tricking users into downloading the Grandoreiro banking trojan.’
• [T1036] Masquerading – The phishing emails and associated payloads often mimic legitimate entities and services, utilizing disguised files that appear to be innocuous documents, such as PDFs, to conceal malicious intent. ‘phishing emails and associated payloads often mimic legitimate entities and services, utilizing disguised files that appear to be innocuous documents, such as PDFs, to conceal malicious intent.’
• [T1173] Dynamic Data Exchange – While not explicitly mentioned, techniques similar to Dynamic Data Exchange could be employed to execute malicious scripts via Microsoft Outlook, which Grandoreiro manipulates to propagate further phishing emails. ‘While not explicitly mentioned, techniques similar to Dynamic Data Exchange could be employed to execute malicious scripts via Microsoft Outlook, which Grandoreiro manipulates to propagate further phishing emails.’
• [T1027] Obfuscated Files or Information – The malware uses various obfuscation techniques, including triple-Base64 encoding and custom encryption algorithms, to hide its malicious strings and commands, complicating analysis and detection. ‘The malware uses various obfuscation techniques, including triple-Base64 encoding and custom encryption algorithms, to hide its malicious strings and commands, complicating analysis and detection.’
• [T1071] Command and Control – Grandoreiro communicates with its command and control (C2) servers, dynamically generated through a sophisticated Domain Generation Algorithm (DGA), enabling consistent control over the malware despite potential disruptions in the C2 infrastructure. ‘Grandoreiro communicates with its command and control (C2) servers, dynamically generated through a sophisticated Domain Generation Algorithm (DGA)…’
• [T1496] Resource Hijacking – The malware hijacks the Microsoft Outlook client on infected hosts to send out further phishing campaigns, exploiting the victim’s resources and trusted status to propagate the infection. ‘The malware hijacks the Microsoft Outlook client on infected hosts to send out further phishing campaigns, exploiting the victim’s resources and trusted status to propagate the infection.’
• [T1027.002] Software Packing – The Grandoreiro payload is typically delivered within a packed executable that is significantly bloated to avoid automated analysis and detection by antivirus programs. ‘The Grandoreiro payload is typically delivered within a packed executable that is significantly bloated to avoid automated analysis and detection by antivirus programs.’
• [T1056] Credential Access – By targeting over 1500 banking applications and websites globally, the malware likely employs methods to intercept or harvest credentials directly from the victim’s interactions with these financial platforms. ‘By targeting over 1500 banking applications and websites globally, the malware likely employs methods to intercept or harvest credentials directly from the victim’s interactions with these financial platforms.’