As part of an ongoing series on Latin American banking trojans, ESET researchers take an in-depth look at Grandoreiro. This trojan targets users especially in Brazil, Mexico, Spain and Peru. Distributed almost exclusively through email spam, it has lately started to utilise fake websites capitalising on the global coronavirus pandemic. Grandoreiro reveals a persistent effort from its authors to evade detection.
Although ESET has seen Grandoreiro primarily distributed through spam, where the authors usually utilise a fake Java or Flash update, recently we have observed a shift to COVID19 related scams. The trojan was hiding in videos on fake websites promising information about the coronavirus. However, instead of playing, clicking the video leads to the download of a payload on visitors’ devices.
Grandoreiro has been active since at least 2017 in Brazil and Peru, expanding to Mexico and Spain in 2019. As with other Latin American banking trojans in this series, Grandoreiro attacks its victims by displaying fake pop-up windows as a ploy to get them to divulge sensitive information.
The backdoor functionality of Grandoreiro includes manipulating windows; updating itself; capturing keystrokes; simulating mouse and keyboard actions; navigating browsers to chosen URLs; signing out and restarting machines; and blocking access to websites. Grandoreiro collects various information about affected machines and, in some versions, it also steals credentials stored in Google Chrome as well as data stored in Microsoft Outlook browsers.
“For a Latin American banking trojan, Grandoreiro utilises a surprisingly large number of tricks to evade detection and emulation. That includes many techniques to detect or even disable banking protection software,” says ESET researcher Robert Šuman, leading the team analysing Grandoreiro. “They seem to be developing the banking trojan very rapidly. Almost every new version we see introduces some changes. We also suspect they are developing at least two variants simultaneously. Interestingly, from a technical point of view, they also utilize a very specific application of the binary padding technique that makes it hard to get rid of the padding while keeping a valid file,” adds Šuman.
Unlike the majority of Latin American banking trojans, Grandoreiro utilises quite small distribution chains. For different campaigns, it may choose a different type of downloader. These downloaders are often stored on well-known public online sharing services such as GitHub, Dropbox, Pastebin, 4shared or 4Sync.
Discussion about this post