Analysis Summary

Grandoreiro is a globally widespread malware and uses modular installers to evade detection. The malware makes use of the victim’s privileges and access to perform fraudulent banking transactions. This helps them evade the security measures used by banking institutions. A specific DGA (Domain Generation Algorithm) is used by the malware to hide the CnC addresses used during an attack. Grandoreiro follows a Malware-as-a-Service (MaaS) business model and is operated by many cybercrime groups. The malware is mainly used to target Brazillian and European Banks. “The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.”

Impact

• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

Domain Name

• downloadaps.com
• descargassdownloadmx.pro
• down16mxcooommx.info
• endesa.click
• eglobalmxdown.online
• download1003.info
• download-archive.online
• downloadfactura.pro
• downloadfactura.site
• downloadfactura.online
• seguro.clubhuh.com
• dvv46402458.servegame.com

IP

• 70.34.247.142

MD5

• e499e936f0424b8bc6e2cc98a3958dc4
• de4cac2f1172d2c496b0fc49c8785845
• 317195dabe6f72fe2875933f90b51b06
• f99f0bc3c99d83ce2875e2503162e24f

SHA-256

• beb525fa2b9bfe84a01dc4d2a62624d5481ed7ccd0337764a589bf22f9b39197
• 8821e371bb1c3a967138eedc2ab969825fd63d0eb6fec400eb7bf8334101b3aa
• e8a7386e05f1531ce397516e56909b712a0a440545a24307091d97b623573421
• 96f6a0d2a2c0103b735cb140e05602097b2e03951fffbc891ec09b9fe48a77e9

SHA-1

• 02433464e2efba90f1bf3c993751d45fcfb81fa0
• 8f1b7c3c92b0921c3e1eecf862435d9aded2f80b
• 62b05a30dc1c5caf7ef7ab24a5439e930f47ceff
• 4bf67856a4fc3cd8b3ad0ced3bfc918f2f1207fa

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.