Analysis Summary

Grandoreiro is a globally widespread malware and uses modular installers to evade detection. The malware makes use of the victim’s privileges and access to perform fraudulent banking transactions. This helps them evade the security measures used by banking institutions. A specific DGA (Domain Generation Algorithm) is used by the malware to hide the CnC addresses used during an attack. Grandoreiro follows a Malware-as-a-Service (MaaS) business model and is operated by many cybercrime groups. The malware is mainly used to target Brazillian and European Banks. “The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.”

Impact

• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

IP

• 172.86.77.40
• 45.61.149.27
• 45.61.154.19

MD5

• 5e0635076e566e427a325bbaeeb0a9e7
• a6709b49c44b6e3331af6562f42b67ad
• 4906100af056732509266d8839a7ce71
• 3da0e0c35cd335820054b52c983974bf
• 29bd31f6b73955c2d4891c80b57cdc38
• 4e0c5c5ab5e6386565b3b0ec74c55ede

SHA-256

• 0192f548cb2b510a7c273e8d1849b3cea825fb25ca1384def897a35271b4bbc5
• 04e7548267143e7b655dc5471fb51d164d0b1b33a201455585034359b381f01d
• 0af60596311d2494222fefd88f97405f38fbdb53dbb22199aa1b35fe076959d4
• 0cb5791bf11a55bcb744622e482e7223cee738413298b866d2df6d5bdf694402
• 132b407090ee6245110b77bee17447e2c700a3b06deffa55a0fd1605691cd17b
• 235f6eea66382dabb2db8c2be441c45e3ec06e76c43448eb94eb06db23624a64

SHA-1

• b01dc87f60eee85a96343b48a709c0faaa09864c
• cc0ebc5bd741b9f5ff5055aaa64b6634652ccfe2
• 8ffe31ec3b920f18b48624fa4c99527913413fe6
• 14f3e987156f077281a5d634fa516c6a9e647e5f
• dd5b1caa91025f847377bcbcd15e537649e605e4
• 3bfda5756bd13ab769e21dab3a784da35d4af2f0

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.