Analysis Summary

Grandoreiro is a globally widespread malware and uses modular installers to evade detection. The malware makes use of the victim’s privileges and access to perform fraudulent banking transactions. This helps them evade the security measures used by banking institutions. A specific DGA (Domain Generation Algorithm) is used by the malware to hide the CnC addresses used during an attack. Grandoreiro follows a Malware-as-a-Service (MaaS) business model and is operated by many cybercrime groups. The malware is mainly used to target Brazillian and European Banks. “The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.”

Impact

• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 9e9a515259fedfcca8e96e9fac66a3d7
• 0307828ec37194201bf7a07bcf234f1b
• 93ecc955ee53033c6e6fe56b3914ed82
• 7492695ed01d88dbab5eaf8088a58545

SHA-256

• f11e0cd1f8fcf1d24efe1067799e02536ca443521160bb28d8fcb12ec606bc15
• 314ef1e398e8d67500eca9992ae87c3cce9df2df19d3087cc4275d4439a8e30a
• a9772d905693ffc6af1d11da43947e7fa5089a282ded865364582ade7a0f84c0
• e53d2b092faa25adf2e2d4eff1a9c0bb05dd4631738fa2cb88c62eccda40dce9

SHA-1

• f5080b7cf80a78aabb957c2e1d932f4a86dfa150
• 170e6bbbd9ad6216fb843f5562c47194b6f3c795
• 080cfe8a4e7dcd388cf5459fcce96b2b1a7090ba
• 57990711382ddc7fd99f6757ce7ad5f0fac969e3

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.