Advisory ID: ngCERT-2024-0019
Summary:
Grandoreiro, a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), is targeting more than 1,500 banks globally. According to reports, the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific. Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria. The new version includes significant changes such as string decryption and DGA calculation, allowing at least 12 different C2 domains per day. Grandoreiro's attack chain includes obtaining email addresses from affected hosts and delivering more phishing attempts through the Microsoft Outlook client. Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.
Damage/Probability: CRITICAL/HIGH
Platform(s): Windows & Android
Description:
The Grandoreiro banking trojan is spread through large-scale phishing campaigns, where threat actors send emails impersonating government entities and financial institutions. These emails entice recipients to click on links to view documents or notices such account statements, make payments, leading to the download of a ZIP file containing a loader executable. The loader is designed to evade antivirus detection by inflating its size and presenting a CAPTCHA to distinguish real users from automated systems. Once executed, the loader checks the environment to avoid sandboxes or unprotected Windows 7 machines and collects victim data such as computer and user names, operating system version, antivirus name, public IP address, and running processes. This information is encrypted and sent to a command & control (C2) server. The malware also checks for Microsoft Outlook clients, crypto wallets, and specific banking security products. To ensure persistence, the malware modifies the Windows registry and uses a Domain Generation Algorithm (DGA) for C2 communication. It harvests email addresses from Outlook, sending further phishing emails from the victim’s account after disabling Outlook alerts. It avoids collecting certain email addresses like those with "noreply" or "newsletter" and scans victim folders for files with specific extensions to find more addresses. The malware sends spam emails based on templates from its C2 server, ensuring the emails are sent when the user is inactive for a certain period, and immediately deletes all the sent emails from the victim’s mailbox. Besides its banking trojan capabilities, the malware allows cybercriminals to control the infected computer, perform keylogging, manage windows and processes, open a browser and execute JavaScript, upload or download files, and send emails.
Consequences:
The following could happen if this banking malware is successfully installed:
- Compromise of systems and banking applications.
- Sensitive data exfiltration.
- It can spread through infected victim inboxes via email.
- Financial fraud through compromised systems.
- Invasion of privacy.
- Denial of Service (DoS) attack.
- Identity theft.
Solution:
It is recommended that system administrators and users should:
- Refrain from opening suspicious emails that prompt file downloads or request sensitive information.
- Verify the sender’s authenticity before clicking on any links or downloading attachments.
- Download software from official websites and direct download links.
- Update installed programs through implemented functions or tools provided by official software developers.
- Regularly scan the operating system for threats with a reputable antivirus or anti-spyware suite and keep this software up to date.
- Install and configure robust endpoint security solutions that can detect and block malicious activities
- Monitor network traffic for unusual activity, such as multiple consecutive requests to IP geolocation services like http://ip-api.com/json, which could indicate an infection.
- Block known malicious domains and pre-calculated DGA domains at the DNS level to prevent the malware from communicating with its C2 servers.
- Educate employees about phishing tactics and the importance of cyber security hygiene.
- Regularly check Windows registry keys used for persistence, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
References:
- https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/
- https://thehackernews.com/2024/05/grandoreiro-banking-trojan-resurfaces.html
- https://www.infosecurity-magazine.com/news/grandoreiro-banking-trojanmajor
- https://cyberfraudcentre.com/understanding-and-preventing-the-grandoreiro-banking-trojan