Analysis Summary

Grandoreiro is a globally widespread malware and uses modular installers to evade detection. The malware makes use of the victim’s privileges and access to perform fraudulent banking transactions. This helps them evade the security measures used by banking institutions. A specific DGA (Domain Generation Algorithm) is used by the malware to hide the CnC addresses used during an attack. Grandoreiro follows a Malware-as-a-Service (MaaS) business model and is operated by many cybercrime groups. The malware is mainly used to target Brazillian and European Banks. “The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.”

Impact

• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 39be95a8d680a5b45d0583fd10b73cf9
• 2b7c90357a45a7a264154a2472d4bb67
• 8571e9e4526c27a9a9fba0115ca4ecd6
• b8f6549890140413cfd1c1647c95b8ee
• 254bbdd55517b894173134364c14db8e
• 6ed1eed0e2ed039803fde67276df358a

SHA-256

• 168511c2fd09e21c93ce1202902b66813385a4694503493ddb70ba13aea26c3b
• 7cbc4e446bad287406efd29b10347834b1755e0c4c10c982f1de6c5ca48abcbf
• fbb5aabe1ae70e81695bb9a3d72fab39b9f6d7d7df86deb5240df6c707b9cd6b
• 5b79102ca44a5f6c0f3cf390928d1d54c9f6ca972605436837172a1788c9b5fc
• 6122367194a3cebf4b2cce39b779ba551ebd350a1d825d885276f03adf396cad
• 6d9f885c3655463a4e31d212b597980dcb20e708d682d8cc013de08b25ee8365

SHA-1

• cdf068bc781afdfc6193d9aca54ca5fffd8be380
• b5b54e079af13d5247a0e922fcde8180ee188b4e
• 8d6cc4587b88d80d973d8581bc4ae6d4f65d0c30
• d4b0bc4d5c390dbe2d4dc3302f6a64a6c254f7b4
• 5f9f018d1f1c727ac4cd36e418bce89d2a8355f6
• e4f3e185cc58b6f0ec39244e969dd60a65141ac0

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.