The notorious ‘Grandoreiro’ banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico.
The malware has been active in the wild since at least 2017 and remains one of the most significant threats of its kind for Spanish-speaking users.
The recent campaign, spotted by analysts at Zscaler, started in June 2022 and is still ongoing. It involves the deployment of a Grandoreiro malware variant featuring several new features to evade detection and anti-analysis, as well as a revamped C2 system.
Starts with an email
The infection chain begins with an email pretending to originate from the Attorney General’s Office of Mexico City or the Spanish Public Ministry, depending on the target.
The message topic revolves around state refunds, notices of litigation changes, cancellation of mortgage loans, and more.
The email contains a link redirecting victims to a website that drops a ZIP archive. That file encloses the Grandoreiro loader module masqueraded as a PDF file to trick the victim into launching it.
Once this happens, a Delphi payload is fetched from a remote HTTP file server (“http://15[.]188[.]63[.]127:36992/zxeTYhO.xml”) in the form of a compressed 9.2MB ZIP and is extracted and executed by the loader.
During that stage, the loader gathers system information, retrieves a list of installed AV programs, cryptocurrency wallets, and e-banking apps, and sends them to the C2.
The final payload, signed with a certificate stolen from ASUSTEK, assumes an inflated size of 400MB through the method of “binary padding” to evade sandbox analysis.
In one case highlighted by security analyst Ankit Anubhav on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is another attempt to evade analysis.
Finally, persistence between reboots is maintained by adding two new Registry keys, setting Grandoreiro to launch at system startup.
One of the new additions in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping the malware’s infrastructure and taking it down challenging.
The C2 communication pattern is now identical to that of LatentBot, using “ACTION+HELLO” beacons and ID-based cookie value responses.
Portuguese cybersecurity blogger Pedro Taveres first spotted the commonalities between the two malware strains in 2020, but the assimilation of the C2 communication techniques into Grandoreiro’s code was completed only recently.
The backdoor capabilities of the malware on the host include:
Auto-Updation for newer versions and modules
Web-Injects and restricting access to specific websites
Guiding the victim’s browser to a specific URL
C2 Domain Generation via DGA (Domain Generation Algorithm)
Imitating mouse and keyboard movements
The recent campaign indicates that Grandoreiro’s operators are interested in conducting highly-targeted attacks instead of sending large volumes of spam emails to random recipients.
Also, the continual evolution of the malware giving it stronger anti-analysis and detection avoidance features, lays the ground for stealthier operations.
While Zscaler’s report doesn’t dive deep into the specific goals of the current campaign, Grandoreiro’s operators have historically demonstrated financial motives, so it’s assumed the case remains the same.