S0531 Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.21
| Item | Value |
|---|---|
| ID | S0531 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 10 November 2020 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Grandoreiro can bypass UAC by registering as the default handler for .MSC files.1 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | Grandoreiro can parse Outlook .pst files to extract e-mail addresses.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Grandoreiro has the ability to use HTTP in C2 communications.31 |
| enterprise | T1010 | Application Window Discovery | Grandoreiro can identify installed security tools based on window names.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Grandoreiro can use run keys and create link files in the startup folder for persistence.31 |
| enterprise | T1547.009 | Shortcut Modification | Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.3 |
| enterprise | T1176 | Browser Extensions | Grandoreiro can use malicious browser extensions to steal cookies and other user information.3 |
| enterprise | T1185 | Browser Session Hijacking | Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.231 |
| enterprise | T1115 | Clipboard Data | Grandoreiro can capture clipboard data from a compromised host.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Grandoreiro can use VBScript to execute malicious code.21 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Grandoreiro can steal cookie data and credentials from Google Chrome.31 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Grandoreiro can decrypt its encrypted internal strings.1 |
| enterprise | T1189 | Drive-by Compromise | Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.23 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.21 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Grandoreiro can use SSL in C2 communication.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Grandoreiro can send data it retrieves to the C2 server.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | Grandoreiro can modify the binary ACL to prevent security tools from running.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.1 |
| enterprise | T1562.004 | Disable or Modify System Firewall | Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Grandoreiro can delete .LNK files created in the Startup folder.1 |
| enterprise | T1105 | Ingress Tool Transfer | Grandoreiro can download its second stage from a hardcoded URL within the loader’s code.31 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Grandoreiro can log keystrokes on the victim’s machine.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Grandoreiro has named malicious browser extensions and update files to appear legitimate.31 |
| enterprise | T1112 | Modify Registry | Grandoreiro can modify the Registry to store its configuration at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.1 |
| enterprise | T1106 | Native API | Grandoreiro can execute through the WinExec API.1 |
| enterprise | T1027 | Obfuscated Files or Information | The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.211 |
| enterprise | T1027.001 | Binary Padding | Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.1 |
| enterprise | T1027.011 | Fileless Storage | Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Grandoreiro has been spread via malicious links embedded in e-mails.31 |
| enterprise | T1057 | Process Discovery | Grandoreiro can identify installed security tools based on process names.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.11 |
| enterprise | T1539 | Steal Web Session Cookie | Grandoreiro can steal the victim’s cookies to use for duplicating the active session from another device.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Grandoreiro can use MSI files to execute DLLs.2 |
| enterprise | T1082 | System Information Discovery | Grandoreiro can collect the computer name and OS version from a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.1 |
| enterprise | T1033 | System Owner/User Discovery | Grandoreiro can collect the username from the victim’s machine.1 |
| enterprise | T1124 | System Time Discovery | Grandoreiro can determine the time on the victim machine via IPinfo.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Grandoreiro has used malicious links to gain execution on victim machines.31 |
| enterprise | T1204.002 | Malicious File | Grandoreiro has infected victims via malicious attachments.3 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Grandoreiro can detect VMWare via its I/O port and Virtual PC via the vpcext instruction.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Grandoreiro can obtain C2 information from Google Docs.2 |
| enterprise | T1102.002 | Bidirectional Communication | Grandoreiro can utilize web services including Google sites to send and receive C2 data.31 |
References
-
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩↩↩↩↩↩↩↩
-
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩