Advisory ID: NTR-061224-01
Summary:
A new and sophisticated variant of banking malware called Grandoreiro, has been identified, targeting financial institutions and individuals globally. Grandoreiro has evolved with new features and capabilities since it first appeared around 2016. This malware is deployed via phishing emails and malicious websites masquerading as cryptocurrency trading platforms, aiming to steal sensitive financial credentials, perform unauthorised transactions, and exfiltrate cryptocurrency wallet keys.
The malware employs advanced obfuscation techniques to evade detection and uses phishing tactics to lure victims into downloading trojanized installers. These installers contain payloads capable of intercepting two-factor authentication codes and mimicking legitimate banking app activities. This report highlights technical details, IOCs, and actionable steps to mitigate the threat.
Damage/Probability: CRITICAL/HIGH
Platform(s): Finance Apps
Description:
The new version of Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS). It aims to encrypt the malicious code strings. “Grandoreiro has a large and complex structure, which would make it easier for security tools or analysts to detect if its strings were not encrypted. This is likely why they introduced this new technique to complicate the detection and analysis of their attacks.
Grandoreiro operates and adopted new tricks such as the usage of Domain Generation Algorithms (DGAs) in its command and control (C&C) communications to hide its C&C servers, the adoption of Ciphertext Stealing Encryption (CTS) for advanced encryption, mouse behaviour tracking, advanced sandbox evasion codes, aiming to avoid detection. Key tactics include:
Delivery and Persistence: Delivered through spear-phishing emails with malicious links, it downloads as a Windows Installer (MSI) file. It executes embedded DLLs or VBS scripts to retrieve an encrypted payload, transitioning from XOR-based encryption to base64-encoded ZIP files. The malware registers itself on Windows startup for persistence.
Evasion Tactics: Grandoreiro employs advanced techniques to bypass security solutions like antivirus and banking security systems. These include sandbox evasion, binary padding with large BMP files, fraudulent digital certificates, and CAPTCHAs to impede automated analysis. Its C2 communications leverage Domain Generation Algorithms (DGAs) to hide C&C servers.
Encryption Enhancements: Adopting Ciphertext Stealing (CTS) encryption and robust anti-debugging methods in its loader phase complicates detection and analysis.
Credential Theft and Control: The malware monitors browser and email activity, collects host details, and hijacks clipboard content to replace cryptocurrency wallet addresses. Fake banking login screens capture credentials and 2FA codes, enabling attackers to control victims' accounts.
This highly adaptive malware remains a significant threat to financial institutions, combining credential theft, remote control capabilities, and evasion tactics to execute fraudulent activities undetected.
Consequences:
The discovered malware poses severe risks to both individuals and organizations:
- Financial loss arising from unauthorized transactions and stolen cryptocurrency assets.
- Data compromise, as leaked credentials can be sold or reused for broader attacks.
- In addition to financial theft, Grandoreiro can capture personal information that may be used for identity theft or sold on the dark web.
- Operational disruption, as persistent infections may hinder IT operations and require extensive remediation.
- Increased phishing exposure, as users redirected to fraudulent cryptocurrency websites may fall victim to further scams.
Solution:
The following steps are preventive measures that you could advise your constituents on to protect their infrastructure.
For Organizations:
-
Educate employees on phishing attacks and safe browsing practices to reduce risks.
-
Deploy advanced endpoint protection solutions that are confirmed to be effective against Grandoreiro and other similar malware.
-
Ensure all systems have up-to-date antivirus solutions.
-
Block access to known malicious and suspicious domains.
-
Regularly update all software, operating systems, and third-party applications to mitigate exploitation risks.
-
Enforce strong password policies and implement multi-factor authentication (MFA) wherever possible.
-
For Individuals:
-
Only interact with verified and legitimate cryptocurrency platforms. Check the domain authenticity before entering sensitive information.
-
Refrain from downloading installers or files from untrusted sources.
-
Use updated security solutions on personal devices.
-
Review financial and cryptocurrency accounts regularly for unauthorized activities.
-
Keep encrypted backups of wallet keys and other sensitive data in offline storage.
References: