Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Grandoreiro can steal cookie data and credentials from Google Chrome.[3][2] |
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Grandoreiro has named malicious browser extensions and update files to appear legitimate.[3][2] |
| Enterprise | T1112 | 修改注册表 |
Grandoreiro can modify the Registry to store its configuration at |
|
| Enterprise | T1115 | 剪贴板数据 |
Grandoreiro can capture clipboard data from a compromised host.[3] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Grandoreiro can use SSL in C2 communication.[3] |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.[1][2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Grandoreiro can decrypt its encrypted internal strings.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Grandoreiro can use run keys and create link files in the startup folder for persistence.[3][2] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.[3] |
||
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
Grandoreiro can use VBScript to execute malicious code.[1][2] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.[2] |
| .004 | 妨碍防御: Disable or Modify System Firewall |
Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.[2] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Grandoreiro has the ability to use HTTP in C2 communications.[3][2] |
| Enterprise | T1010 | 应用窗口发现 |
Grandoreiro can identify installed security tools based on window names.[2] |
|
| Enterprise | T1222 | .001 | 文件和目录权限修改: Windows File and Directory Permissions Modification |
Grandoreiro can modify the binary ACL to prevent security tools from running.[2] |
| Enterprise | T1106 | 本机API |
Grandoreiro can execute through the |
|
| Enterprise | T1185 | 浏览器会话劫持 |
Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[1][3][2] |
|
| Enterprise | T1176 | 浏览器扩展 |
Grandoreiro can use malicious browser extensions to steal cookies and other user information.[3] |
|
| Enterprise | T1189 | 浏览器攻击 |
Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.[1][3] |
|
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.[2] |
| .011 | 混淆文件或信息: Fileless Storage |
Grandoreiro can store its configuration in the Registry at |
||
| .013 | 混淆文件或信息: Encrypted/Encoded File |
The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.[1][2][2] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Grandoreiro can bypass UAC by registering as the default handler for .MSC files.[2] |
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Grandoreiro has used malicious links to gain execution on victim machines.[3][2] |
| .002 | 用户执行: Malicious File |
Grandoreiro has infected victims via malicious attachments.[3] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Grandoreiro can delete .LNK files created in the Startup folder.[2] |
| Enterprise | T1539 | 窃取Web会话Cookie |
Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.[3] |
|
| Enterprise | T1218 | .007 | 系统二进制代理执行: Msiexec |
Grandoreiro can use MSI files to execute DLLs.[1] |
| Enterprise | T1082 | 系统信息发现 |
Grandoreiro can collect the computer name and OS version from a compromised host.[2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Grandoreiro can collect the username from the victim's machine.[2] |
|
| Enterprise | T1124 | 系统时间发现 |
Grandoreiro can determine the time on the victim machine via IPinfo.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.[2] |
|
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
Grandoreiro can obtain C2 information from Google Docs.[1] |
| .002 | 网络服务: Bidirectional Communication |
Grandoreiro can utilize web services including Google sites to send and receive C2 data.[3][2] |
||
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
| Enterprise | T1087 | .003 | 账号发现: Email Account |
Grandoreiro can parse Outlook .pst files to extract e-mail addresses.[2] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.[2][2] |
| Enterprise | T1105 | 输入工具传输 |
Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[3][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Grandoreiro can log keystrokes on the victim's machine.[2] |
| Enterprise | T1057 | 进程发现 |
Grandoreiro can identify installed security tools based on process names.[2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Grandoreiro can send data it retrieves to the C2 server.[2] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
Grandoreiro has been spread via malicious links embedded in e-mails.[3][2] |