The notorious 'Grandoreiro' banking trojan was discovered in recent attacks targeting employees of a chemicals manufacturer in Spain and automotive and machinery manufacturers in Mexico.
The malware has been active in the wild since at least 2017 and continues to be one of the most serious threats to Spanish-speaking users.
The most recent campaign, discovered by Zscaler analysts, began in June 2022 and is still ongoing. It entails the deployment of a Grandoreiro malware variant with several new anti-detection and anti-analysis features, as well as a redesigned C2 system.
The infection chain begins with an email purporting to be from the Mexican Attorney General's Office or the Spanish Public Ministry, depending on the target. The message's subject matter includes state refunds, notices of litigation changes, mortgage loan cancellations, and other items.
The email contains a link that takes recipients to a website where they can download a ZIP archive. That file contains the Grandoreiro loader module disguised as a PDF file in order to trick the victim into running it. Once this occurs, the loader retrieves a Delphi payload in the form of a compressed 9.2MB ZIP file from a remote HTTP file server ("http://15[.]188[.]63[.]127:36992/zxeTYhO.xml") and extracts and executes it.
The loader gathers system information, retrieves a list of installed antivirus programmes, cryptocurrency wallets, and e-banking apps, and sends it to the C2. To avoid sandbox analysis, the final payload is signed with a certificate stolen from ASUSTEK and has an inflated size of 400MB thanks to "binary padding."
In one case, as security analyst Ankit Anubhav pointed out on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is yet another attempt to avoid detection. Finally, Grandoreiro is made persistent between reboots by adding two new Registry keys and setting it to launch at system startup.
Grandoreiro features
One of the new features in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping and taking down the malware's infrastructure difficult.
The C2 communication pattern is now the same as LatentBot's, with "ACTION+HELLO" beacons and ID-based cookie value responses. The similarities between the two malware strains were discovered by Portuguese cybersecurity blogger Pedro Taveres in 2020, but the C2 communication techniques were only recently incorporated into Grandoreiro's code.
The malware on the host has the following backdoor capabilities:
- Keylogging
- Auto-Updation for newer versions and modules
- Web-Injects and restricting access to specific websites
- Command execution
- Manipulating windows
- Guiding the victim's browser to a specific URL
- C2 Domain Generation via DGA (Domain Generation Algorithm)
- Imitating mouse and keyboard movements
Outlook
The recent campaign suggests that Grandoreiro's operators prefer to carry out highly targeted attacks rather than send large volumes of spam emails to random recipients.
Furthermore, the malware's continuous evolution, which provides it with stronger anti-analysis and detection avoidance features, lays the groundwork for stealthier operations. While Zscaler's report does not go into detail about the current campaign's objectives, Grandoreiro's operators have previously demonstrated financial motivations, so the case is assumed to be the same.