Skip to content

S0531 Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.21

Item Value
ID S0531
Associated Names
Version 1.1
Created 10 November 2020
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Grandoreiro can bypass UAC by registering as the default handler for .MSC files.1
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Grandoreiro can parse Outlook .pst files to extract e-mail addresses.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Grandoreiro has the ability to use HTTP in C2 communications.31
enterprise T1010 Application Window Discovery Grandoreiro can identify installed security tools based on window names.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Grandoreiro can use run keys and create link files in the startup folder for persistence.31
enterprise T1547.009 Shortcut Modification Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.3
enterprise T1176 Browser Extensions Grandoreiro can use malicious browser extensions to steal cookies and other user information.3
enterprise T1185 Browser Session Hijacking Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.231
enterprise T1115 Clipboard Data Grandoreiro can capture clipboard data from a compromised host.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Grandoreiro can use VBScript to execute malicious code.21
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Grandoreiro can steal cookie data and credentials from Google Chrome.31
enterprise T1140 Deobfuscate/Decode Files or Information Grandoreiro can decrypt its encrypted internal strings.1
enterprise T1189 Drive-by Compromise Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.23
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.21
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Grandoreiro can use SSL in C2 communication.3
enterprise T1041 Exfiltration Over C2 Channel Grandoreiro can send data it retrieves to the C2 server.1
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification Grandoreiro can modify the binary ACL to prevent security tools from running.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.1
enterprise T1562.004 Disable or Modify System Firewall Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Grandoreiro can delete .LNK files created in the Startup folder.1
enterprise T1105 Ingress Tool Transfer Grandoreiro can download its second stage from a hardcoded URL within the loader’s code.31
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Grandoreiro can log keystrokes on the victim’s machine.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Grandoreiro has named malicious browser extensions and update files to appear legitimate.31
enterprise T1112 Modify Registry Grandoreiro can modify the Registry to store its configuration at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.1
enterprise T1106 Native API Grandoreiro can execute through the WinExec API.1
enterprise T1027 Obfuscated Files or Information The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.211
enterprise T1027.001 Binary Padding Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.1
enterprise T1027.011 Fileless Storage Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Grandoreiro has been spread via malicious links embedded in e-mails.31
enterprise T1057 Process Discovery Grandoreiro can identify installed security tools based on process names.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.11
enterprise T1539 Steal Web Session Cookie Grandoreiro can steal the victim’s cookies to use for duplicating the active session from another device.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Grandoreiro can use MSI files to execute DLLs.2
enterprise T1082 System Information Discovery Grandoreiro can collect the computer name and OS version from a compromised host.1
enterprise T1016 System Network Configuration Discovery Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.1
enterprise T1033 System Owner/User Discovery Grandoreiro can collect the username from the victim’s machine.1
enterprise T1124 System Time Discovery Grandoreiro can determine the time on the victim machine via IPinfo.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Grandoreiro has used malicious links to gain execution on victim machines.31
enterprise T1204.002 Malicious File Grandoreiro has infected victims via malicious attachments.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Grandoreiro can detect VMWare via its I/O port and Virtual PC via the vpcext instruction.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Grandoreiro can obtain C2 information from Google Docs.2
enterprise T1102.002 Bidirectional Communication Grandoreiro can utilize web services including Google sites to send and receive C2 data.31