Skip to content
Search
Close search
Menu
Home News Understanding and Preventing the GRANDOREIRO Banking Trojan 

Introduction 

The Grandoreiro banking trojan, a notorious malware primarily targeting banks, has resurfaced in a global campaign since March 2024. After a temporary disruption by law enforcement in January, this sophisticated malware has returned, impacting over 1500 banks across 60 countries.  

Background 

Initially confined to Latin America, Spain, and Portugal, Grandoreiro has expanded its reach significantly. The latest campaign targets entities in Central and South America, Africa, Europe, and the Indo-Pacific. The operators behind Grandoreiro utilise a Malware-as-a-Service (MaaS) model, which has contributed to its widespread distribution. 

Tactics, Techniques, and Procedures (TTPs) 

  1. Phishing Emails: The primary method of distribution for Grandoreiro involves large-scale phishing campaigns. Emails impersonate government entities and financial institutions, urging recipients to click on links to view invoices, account statements, or make payments. 
  2. Loader and CAPTCHA Mechanism: Once a link is clicked, users are redirected to an image of a PDF icon, which triggers the download of a ZIP file containing a loader executable. The loader is inflated to over 100MB to evade antivirus scans and presents a CAPTCHA pop-up to bypass automated execution environments. 
  3. Geolocation and Environment Checks: The loader checks the public IP address and running environment to ensure it is not a sandbox or located in specific countries like Russia, Czechia, Poland, or the Netherlands. It also avoids execution on Windows 7 machines in the US without antivirus protection. 
  4. Command and Control (C2) Communication: Grandoreiro establishes persistence via the Windows registry and uses a reworked Domain Generation Algorithm (DGA) for C2 communication, ensuring robust command execution and data exfiltration. 
  5. Email Harvesting and Spamming: The malware harvests email addresses from infected Outlook clients and uses the victim’s account to send out further phishing emails, aiding its spread. 

Preventive Measures 

  1. Email Caution: Exercise extreme caution with emails that prompt file downloads or request sensitive information. Verify the sender’s authenticity before clicking on any links or downloading attachments.
  2. Network Monitoring: Monitor network traffic for unusual activity, such as multiple consecutive requests to IP geolocation services like http://ip-api.com/json, which could indicate an infection. 
  3. DNS Blocking: Block known malicious domains and pre-calculated DGA domains at the DNS level to prevent the malware from communicating with its C2 servers. 
  4. Endpoint Security: Install and configure robust endpoint security solutions that can detect and block malicious activities. Ensure antivirus and antimalware tools are up to date. 
  5. Staff Training: Educate employees about phishing tactics and the importance of cyber security hygiene. Regular training can help prevent inadvertent malware infections. 
  6. Registry Monitoring: Regularly check Windows registry keys used for persistence, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

What to Do If Infected 

  1. Isolate the System: Immediately disconnect the infected system from the network to prevent further spread. 
  2. Incident Response: Engage your IT or cyber security team to conduct a thorough investigation and implement incident response procedures. 
  3. Restore from Backup: Restore affected systems from clean backups to ensure no remnants of the malware remain. 
  4. Change Passwords: Change passwords for all accounts accessed from the infected system, as keylogging may have compromised them. 
  5. Notify Authorities: Report the incident to relevant cyber security authorities and seek guidance on further steps. 

The resurgence of the Grandoreiro banking trojan highlights the persistent threat posed by advanced malware. By understanding its TTPs and implementing robust preventive measures, businesses and individuals can significantly reduce the risk of infection and mitigate the impact of potential breaches. 

For further information and detailed technical analysis, refer to resources provided by cyber security experts and organisations tracking this threat.  Further information available at: 

20.05.24
Threat Intelligence Alerts
Mike Smith
Written by
Mike Smith
Incident Response & Threat Intelligence Manager

Related articles