Grandoreiro is a sophisticated Windows-based banking trojan distributed via Malware-as-a-Service (MaaS), affecting more than 1,500 banks across 60+ countries. It employs advanced evasion and data-stealing techniques, including UAC bypass, DNS over HTTPS, a Domain Generation Algorithm for C2, and phishing campaigns impersonating legitimate organizations like SAT.
Keypoints
- Grandoreiro operates as a Malware-as-a-Service (MaaS) and has a global footprint, targeting thousands of banks across multiple regions.
- It uses stealth techniques such as bypassing User Account Control (UAC), startup persistence, and browser session hijacking to maintain access.
- The malware harvests credentials and data from web browsers (e.g., cookies) and can parse Outlook PST files to collect email addresses.
- Its C2 communications can use HTTP, DNS over HTTPS, and a Domain Generation Algorithm (DGA) to evade domain-based blocking.
- Phishing emails impersonate legitimate organizations (SAT, SARS, CFE) and direct users to ZIP files infected with malware.
- Mitigation calls for a multi-layered defense: phishing defense, network monitoring, DGA domain blocking, registry surveillance, EDR, and user education.
MITRE Techniques
- [T1548.002] Bypass User Account Control – Bypasses UAC to infiltrate systems. ‘bypassing User Account Control (UAC)’.
- [T1033] Account Discovery – Elevates access by discovering email accounts; ’email account discovery’.
- [T1071.001] Web Protocols – Uses HTTP for C2 communications. ‘using HTTP in Command and Control (C2) communications’.
- [T1547.001] Boot or Logon Autostart Execution – Maintains persistence via startup folders. ‘creating link files in system startup folders to ensure continuity’.
- [T1555.003] Credentials from Web Browsers – Steals cookies and browser credentials (e.g., Chrome). ‘stealing cookie data and credentials from web browsers such as Google Chrome’.
- [T1027] Obfuscated/Compressed Files and Information – Complex decryption with multiple layers to hide payloads. ‘complex decryption process, involving multiple layers of encryption’.
- [T1583] Domain Generation Algorithms – DGA to determine active C2 domains. ‘Domain Generation Algorithm (DGA) to determine active C2 domains’.
- [T1071.004] Application Layer Protocol: DNS – DNS-related C2 activity, including DNS over HTTPS. ‘DNS over HTTPS’.
- [T1566.002] Phishing: Spearphishing Link – Phishing emails with links to ZIP files infected with malware. ‘phishing emails frequently mimic legitimate organizations’ … ‘links that direct recipients to ZIP files infected with malware’.
Indicators of Compromise
- [MD5 Hashes] – 5ba143b5cef7e0505de283091c288e35, 6b9217ef9cbd2b29bfc353261566be1a, and 10 more hashes
- [SHA1 Hashes] – 8db589e61c6a9aeb47cd35570318b321866a415d, 987d02620b4f57a667771f03ebb4c89ed3bf7cc8, and 4 more hashes
- [SHA256 Hashes] – 2d3ec83c7a50990b13221e9018fe0c2b0b7fd6d1534160adf56f5df836e46537, 880db8383100c53c408224a003b312b6d57954ef42d3663ec80e4157ba003a01, and 4 more hashes
- [Domains and IP Addresses] – vamosparaonde.com, perfomacepnneu.me, and 26 more items
- [CVE Identifiers] – CVE-2022-34233
Read more: https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/