{ "id": "7c7bb18c-c6be-4e2d-9c80-425bd3cb2a12", "created_at": "2026-04-06T00:17:54.171329Z", "updated_at": "2026-04-10T13:12:47.393164Z", "deleted_at": null, "sha1_hash": "646f04485d327e6f2760ac6a6ef8d245dd03e9a1", "title": "Grandoreiro banking trojan unleashed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11465394, "plain_text": "Grandoreiro banking trojan unleashed\r\nBy Golo Mühr, Melissa Frydrych\r\nPublished: 2024-05-16 · Archived: 2026-04-05 20:13:32 UTC\r\nSince March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro\r\nbanking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates\r\nwithin the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients\r\non infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global\r\nbanks, enabling attackers to perform banking fraud in over 60 countries including regions of Central and South America,\r\nAfrica, Europe, and the Indo-Pacific. Although campaigns have traditionally been limited to Latin America, Spain and\r\nPortugal, X-Force observed recent campaigns impersonating Mexico’s Tax Administration Service (SAT), Mexico’s Federal\r\nElectricity Commission (CFE), Mexico’s Secretary of Administration and Finance, the Revenue Service of Argentina, and\r\nnotably the South African Revenue Service (SARS). The reworked malware and new targeting may indicate a change in\r\nstrategy since the latest law enforcement action against Grandoreiro, likely prompting the operators to start expanding the\r\ndeployment of Grandoreiro in global phishing campaigns, beginning with South Africa.\r\nKey findings\r\nGrandoreiro is a multi-component banking trojan likely operated as a Malware-as-a-Service (MaaS).\r\nIt is actively deployed in phishing campaigns impersonating government entities in Mexico, Argentina and South\r\nAfrica.\r\nThe banking trojan specifically targets over 1500 global banking applications and websites in over 60 countries\r\nincluding regions in Central/South America, Africa, Europe, and the Indo-Pacific.\r\nThe latest variant contains major updates including string decryption and DGA calculation, allowing at least 12\r\ndifferent C2 domains per day.\r\nGrandoreiro supports harvesting email addresses from infected hosts and using their Microsoft Outlook client to send\r\nout further phishing campaigns.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think\r\nNewsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nGrandoreiro operators expand campaigns\r\nLATAM-focused campaigns\r\nSince March 2024, X-Force has observed phishing campaigns impersonating Mexico’s Tax Administration Service (SAT),\r\nMexico’s Federal Electricity Commission (CFE), the Secretary of Administration and Finance for the city of Mexico, and\r\nthe Revenue Service of Argentina. The emails target users within Latin America, including top-level domains (TLDs)\r\nfrom Mexico, Colombia, and Chile “.mx“, “.co“, and “.cl“. Any real identities have been redacted from the images for\r\npersonal privacy.\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 1 of 34\n\nThe first campaign appears to be an attempt to be perceived as official and urgent and informs the target that they are\r\nreceiving a final notice regarding a debit to the Federal Taxpayer Registration Fee (RFC) that has not been paid. If unpaid,\r\nconsequences may include penalties, fines and a block on the user’s tax identification number impacting the target’s ability\r\nto conduct business and access government services legally. An additional campaign impersonates Mexico’s Federal\r\nElectricity Commission (CFE) and reminds the recipient that they subscribed to CFEMail, and therefore can access their\r\naccount statement in PDF and XML format by clicking one of the embedded links. A third campaign imitating the Secretary\r\nof Administration and Finance, directs the recipient to click on a PDF to read details regarding a compliance notice. A\r\ncampaign imitating the Revenue Service of Argentina instructs the user to download a new tax document and take\r\napplicable actions.\r\nIn each campaign, the recipients are instructed to click on a link to view an invoice or fee, account statement, make a\r\npayment, etc. depending on the impersonated entity. If the user who clicks on the links is within a specific country\r\n(depending on the campaign, Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a\r\nPDF icon, and a ZIP file is downloaded in the background. The ZIP files contain a large executable disguised with a PDF\r\nicon, found to have been created the day prior to, or the day of the email being sent.\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 2 of 34\n\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 3 of 34\n\nFig 1, 2: Sample emails impersonating SAT, and CFE\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 4 of 34\n\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 5 of 34\n\nFig 3, 4: Secretary of Admin and Finance, and AFIP\r\nCampaign Impersonating the South African Revenue Service\r\nTypically Grandoreiro malware is seen in campaigns that target users within Latin America; however, after recent arrests\r\nmade involving Grandoreiro operators, X-Force has seen a surge in campaigns reaching areas outside of LATAM, including\r\nTLDs from Spain, Japan, the Netherlands, and Italy. X-Force observed a phishing campaign impersonating the South\r\nAfrican Revenue Service (SARS), purporting to be from the Taxpayer Assistance Services Division. Likely executed by the\r\nsame operator, X-Force also observed two campaigns impersonating the Tax Administration Service of Mexico. Emails are\r\nwritten in either English, or Spanish, and resemble the same format. The emails reference a Tax number and inform the\r\nrecipient that they are receiving an electronic tax invoice that is in compliance with the regulations set forth by the South\r\nAfrican Revenue Service, or in accordance with the regulations of the Tax Administration Service. The user is provided both\r\na PDF or XML link to view the invoice which initiates a ZIP archive download containing the Grandoreiro loader\r\nexecutable “SARS 35183372 eFiling 32900947.exe” (digits vary between samples).\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 6 of 34\n\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 7 of 34\n\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 8 of 34\n\nFig 5, 6, 7: Sample emails impersonating SAT and SARS\r\nAnalysis: Grandoreiro Loader\r\nIn line with previous campaigns, Grandoreiro’s infection chain begins with a custom loader. Often, the executable is bloated\r\nto a size of more than 100MB to hinder automatic anti-virus scanning. In hopes of circumventing automated execution, it\r\ndisplays a small CAPTCHA pop-up imitating Adobe PDF reader, which requires a click to continue with the execution.\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 9 of 34\n\nFig 8: Grandoreiro fake Adobe PDF reader CAPTCHA\r\nThe loader has three main tasks:\r\n1. Verify if the client is a legitimate victim (not a researcher or a sandbox)\r\n2. Enumerate basic victim data and send it back to its C2\r\n3. Download, decrypt and execute the Grandoreiro banking trojan\r\nString decryption\r\nAll of these tasks require more than 120 important strings, which are encrypted using an improved algorithm.\r\nFirst, Grandoreiro starts by generating a large key string, which is hardcoded and triple-Base64-encoded. The key observed\r\nin these samples begins with “D9JL@2]790B{P_D}Z-MXR\u0026EZLI%3W\u003e#VQ4UF+O6XVWB16713NIO!E…”. It then\r\ntakes the encrypted string and uses a custom decoding to convert it into a series of hexadecimal characters interpreted as\r\nbytes.\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 10 of 34\n\nFig 9: Grandoreiro custom hex encoding (note that non-hex character encoding like ‘”‘ are never used)\r\nGrandoreiro decrypts the result via the old Grandoreiro algorithm using the key string. Below is a Python implementation of\r\nthe decryption routine:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 11 of 34\n\nLastly, it undergoes a final round of 256-bit AES CBC decryption and unpadding to retrieve the plaintext string. Both the\r\nAES key and Initiation Vector (IV) are also stored as encrypted strings and have to be decrypted using the same algorithm as\r\nabove, however skipping the AES decryption. The graph below gives an overview of the full decryption process:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 12 of 34\n\nFig 10: Grandoreiro loader string decryption\r\nVictim verification\r\nTo verify that a victim is not part of a sandboxed environment, the Grandoreiro loader collects the following information\r\nand checks it against a list of hardcoded values (see Appendix):\r\n1. Computer name\r\n2. Username\r\n3. OS version information\r\n4. Installed Antivirus solution\r\n5. Country of the victim’s public IP (via http://ip-api.com/json)\r\n6. List of running processes\r\nThis verification step is also used to disallow victims of specific countries. One sample did not continue execution for\r\ninfections with public IPs from:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 13 of 34\n\nRussia\r\nCzechia\r\nPoland\r\nNetherlands\r\nThe sample also prevented infections of Windows 7 machines based in the US without anti-virus.\r\nVictim profiling\r\nThe next execution step attempts to build a basic profile of the victim to display on the C2 panel. The malware enumerates\r\nthe following information on the victim machine:\r\nPublic IP country\r\nPublic IP region\r\nPublic IP city\r\nComputer name\r\nUsername\r\nOS Version information\r\nInstalled AV solution\r\nCheck in the registry subkey “Software\\Clients\\Mail” if the Outlook mail client is installed. If true, the value is set to\r\n“SIM”, which means “Yes” in Portuguese\r\nCheck if crypto-wallets exist: Binance, Electrum, Coinomi, Bitbox, OPOLODesk, Bitcoin\r\nCheck if special banking security software is installed: IBM Trusteer, Topaz OFD, Diebold\r\nNumber of Desktop monitors\r\nVolume Serial Number\r\nDate of infection\r\nTime of infection\r\nGrandoreiro concatenates the results using the string “*~+” and sends it as part of the encrypted payload request to the C2\r\nserver.\r\nC2 communication and loading Grandoreiro\r\nGrandoreiro loader’s C2 server can be decrypted via the same algorithm explained above. The resulting domain name is\r\nresolved via DNS over HTTPS through the URL https://dns.google/resolve?name=\u003cC2 server\u003e to circumvent DNS-based\r\nblocking. After receiving the C2 IP address, the malware takes the first 4 digits of the IP and runs 4 different digit-to-digit\r\nmappings over it resulting in the 4-digit port number.\r\nIt then concatenates the victim profiling string from above together with a capitalized Portuguese message\r\n“CLIENT_SOLICITA_DDS_MDL” (likely translated to “Client asks for module data”). An example string would be:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 14 of 34\n\nThe string is encrypted and sent as the URL path via an HTTP GET request to the C2 server requesting the final Grandoreiro\r\npayload.\r\nIf successful, the C2 server replies with an HTTP 200 status code containing another encrypted message. It contains the\r\nfollowing information:\r\n1. Payload download URL\r\n2. C2 server\r\n3. Directory name\r\n4. Payload name\r\n5. Payload size\r\nExample:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 15 of 34\n\nTo download, Grandoreiro issues another HTTP GET request to the payload URL. The downloaded file is stored in the\r\nspecified directory name under “C:\\ProgramData\\“. Next, the file is decrypted via an RC4-based algorithm using the key\r\n“7684223510”. Finally, it is decompressed using the “ZipForge” Delphi library, and the originally downloaded file is\r\ndeleted.\r\nThe archive may contain two files, a .EXE (Grandoreiro banking trojan) and a .CFG (config file).\r\nPrior to execution, the loader performs an enumeration of the current process token’s group membership, specifically\r\nchecking for the presence of the SECURITY_NT_AUTHORITY SID. If the process possesses the required privileges, the\r\nloader utilizes the ShellExecuteW() function with the ‘runas’ verb to execute the Grandoreiro payload with elevated\r\nprivileges. Conversely, if the necessary privileges are not available, the loader resorts to executing itself\r\nvia ShellExecuteW() without elevation.\r\nDuring all stages of infection—the payload download, decryption, and execution—the Grandoreiro loader reports back\r\nstatus messages to its C2 server. Some examples are:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 16 of 34\n\nERRO_FALHA_DOWNLOAD (“Download failed error”)\r\nERRO_EXTRACAO (“Extraction error”)\r\nAV_COMEU_MODULO (“AV ate module”)\r\nERRO_EXECUCAO (“Execution error”)\r\nINFECTADO (“Infected”)\r\nThe final payload is the Grandoreiro banking trojan. The latest version has undergone major updates mainly within the\r\nstring decryption and DGA calculation algorithms. It has also included a vast number of global banking applications to\r\ntarget, support execution and enable attackers to perform banking fraud in dozens of countries. Together with a specialized\r\nOutlook spreader module and a wide range of features, it is one of the largest known banking trojans and analysis is still\r\nongoing. The following sections present an in-depth look at Grandoreiro’s most notable characteristics, highlighting its\r\nessential features and functionalities.\r\nPersistence and configuration\r\nGrandoreiro begins by establishing persistence via the Windows registry. It runs the following command to create a new\r\nregistry Run key and launch the malware on user login:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 17 of 34\n\nNote that the name of the key may differ among samples, but is often related to the original filename of the downloaded\r\npayload. If Grandoreiro does not run in an elevated process, the “/runas” verb is omitted.\r\nIn addition to the .CFG file, Grandoreiro also creates a .XML file in the C:\\Public\\ directory. It is encrypted via the loader’s\r\nstring encryption routine and stores the Grandoreiro executable filename, path and date of infection.\r\nIf Grandoreiro can’t find its .CFG file, it will populate a new .CFG with default values specifying which Grandoreiro\r\nfunctions are enabled, the victim’s country and date of infection. The .CFG file is encrypted via the Grandoreiro string\r\nencryption algorithm explained further below.\r\nTargeted applications\r\nGrandoreiro operators significantly upgraded the list of targeted banking applications, now targeting more than 1500 banks\r\nworldwide. The latest variants start by first determining if the victim is on the list of targeted countries. Each country is also\r\nmapped to a larger region, which Grandoreiro uses to determine which string searches it should run on currently active\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 18 of 34\n\nwindows. This means that, if the victim country for instance is identified as Belgium, it will search for all targeted banking\r\napplications associated with the Europe region. Grandoreiro internally maps countries to the region categories Europe,\r\nNorth America, Central America, South America, Africa, Indo-Pacific and global islands, with each region having an\r\nassociated Delphi class to search for bank applications. In addition, Grandoreiro has a class searching for 266 unique strings\r\nidentifying cryptocurrency wallets, which is run on every infection.\r\nFig 11: Grandoreiro launching a new thread based on the detected country region\r\nThe heatmap below highlights the number of unique banking applications associated with each country. Note that each app\r\nmay be detected with multiple strings:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 19 of 34\n\nFig 12: Grandoreiro targeted banking applications per country (created using Datawrapper and populated with information\r\nfrom the X-Force team’s research)\r\nDGA\r\nGrandoreiro has traditionally relied on domain generation algorithms (DGA) to calculate its active C2 server based on the\r\ncurrent date. The newest iteration of Grandoreiro contains a reworked algorithm and takes it one step further by introducing\r\nmultiple seeds for its DGA. These seeds are used to calculate a different domain for each mode or functionality of the\r\nbanking trojan, allowing separation of C2 tasks among several operators as part of their Malware-as-a-Service operation.\r\nEach Grandoreiro sample may have a main default seed in case the config file is missing, as well as a list of function-specific seeds. The sample X-Force analyzed contained 14 different seeds, leading to 14 possible C2 domains every day. To\r\nexplain the algorithm, we will calculate the domains for April 17, 2024. The following chart provides a visualization of the\r\nalgorithm with an explanation below:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 20 of 34\n\nFig 13: DGA visualization\r\nStarting with the domain apex, Grandoreiro has one domain mapped to every day of the year. There are two of these\r\nmappings, one for the main C2 and one for all function-specific C2s. However, of the 732 apex domains, only 337 are\r\nunique. For the given day, the primary apex is dnsfor[.]me and the secondary is neat-url[.]com.\r\nFor the next part, Grandoreiro concatenates the seed “xretsmzrb” (the main seed) with the 2 digit formatted current month,\r\nreplacing each digit with three hardcoded characters. The digits “0” and “4” are replaced with “oit” and “zia” respectively,\r\nresulting in the full string “xretsmzrboitzia”.\r\nFinally, for each day of the month, Grandoreiro has a custom character to character replacement mapping. For the 17th, after\r\nrunning all 26 character replacements iteratively, the final subdomain string is “wondbbhonandhnd”.\r\nAfter calculating the remaining domains for all hardcoded seeds, the list of C2 domains for April 17, 2024 becomes:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 21 of 34\n\nX-Force was able to confirm at least 4 of the domains did resolve on that day to Brazil-based IPs:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 22 of 34\n\nThe C2 server’s port is calculated from the first four digits of the IP address via a custom digit-to-digit mapping just like the\r\nGrandoreiro loader. See Appendix for a full list of all pre-calculated Grandoreiro domains. Note that Grandoreiro does\r\nchange seeds frequently. A few weeks after the initial infection X-Force observed only the main seed C2 server staying\r\nactive.\r\nResearch into X-Force DNS telemetry for early May shows current infections are mainly located in Latin America:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 23 of 34\n\nFig 14: Infection geolocations in early May\r\nCommand and control\r\nAfter attempting to resolve the calculated DGA, Grandoreiro sends one of several registration messages concatenated with\r\nenumeration data and encrypted, just like the Grandoreiro loader. The following messages may be sent based on privileges,\r\ninstalled AV and active C2 domains:\r\nCLIENT_SOLICITA_DD_FULL\r\nCLIENT_SOLICITA_DD_WLT_FULL\r\nCLIENT_SOLICITA_DD_FULL_ADMIN\r\nCLIENT_SOLICITA_DADOS_ARQ\r\nGrandoreiro supports a large number of different commands, including the following:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 24 of 34\n\nRemote control:\r\nEnabling and disabling mouse input\r\nSending new mouse positions or clicks, hide/show mouse\r\nHide/show taskbar\r\nSending new clipboards\r\nSimulate keyboard input (all special keys)\r\nRebooting PC\r\nStart/stop webcam viewer\r\nList current windows, close/restore/maximize windows, set as foreground window, move window position\r\nList processes, kill processes by PID\r\nStart/stop keylogger\r\nOpen browser (MS Edge, Chrome, Internet Explorer, Firefox, Opera, Brave)\r\nActivating and deactivating modes (also possible through configuration file)\r\nAdmin mode\r\nRegistered mode\r\nOutlook sending mode (see Outlook Harvest \u0026 Spam section)\r\nRestart locked mode\r\nAlways on mode\r\n“Good DNS exchange” mode (also internally referenced as “PK” mode). Likely to make use of a DGA seed\r\nhardcoded within the config file.\r\n“Caption blocking” or “thread blocking” likely to prevent users from opening new windows\r\nFile upload/download\r\nReceive BMP/XML file (possibly to imitate authentication windows of detected banking applications)\r\nReceive module update (not yet implemented)\r\nExecute a new .EXE file (not yet implemented)\r\nEnumerate host filesystem\r\nMalware control\r\nLook for DLLs needed by the malware (such as MouseA.dll)\r\n“Cleaning” DLLs or ZIPs (downloading components again)\r\nSend client enumeration data\r\nUpdate country info\r\nThe malware also specifically supports opening hardcoded Banco Banorte URLs:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 25 of 34\n\nIt further allows execution of JavaScript commands in the browser to simulate HTML button clicks:\r\njavascript:document.getElementById(‘ctl00_Contentplaceholder1_lbNuevaCuenta’).click();\r\njavascript:document.getElementById(‘ctl00_Contentplaceholder1_btnAceptar’).click();\r\njavascript:document.getElementById(‘ctl00_Contentplaceholder1_btnContinuar’).click();\r\njavascript:document.getElementById(‘ctl00_Contentplaceholder1_Button17’).click();\r\nDue to the large number of different commands and their naming, the Grandoreiro codebase seems to contain newly added\r\ncommands as well as legacy features no longer actively used. The banking trojan is likely going through frequent\r\ndevelopment cycles to add new features without much refactoring, contributing to the overall size of the codebase.\r\nOutlook Harvest \u0026 Spam\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 26 of 34\n\nOne of Grandoreiro’s most interesting features is its capability to spread by harvesting data from Outlook and using the\r\nvictim’s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and\r\nexfiltrate email addresses, with each using a different DGA seed. By using the local Outlook client for spamming,\r\nGrandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam\r\nvolume observed from Grandoreiro.\r\nHarvesting\r\nFor the Outlook harvesting mode, Grandoreiro switches its C2 to DGA seed 7 which is used to exfiltrate data. Logging and\r\nstatus messages continue to the main C2 server. For instance, before starting the harvesting process, it sends a log back\r\ncontaining the same victim profiling data as well as the strings “CLIENT_SOLICITA_DD_EMSOUT” (Client asks for\r\nEMSOUT data) and “COLHENDO” (harvesting).\r\nIn order to interact with the local Outlook client, Grandoreiro uses the Outlook Security Manager tool, a software used to\r\ndevelop Outlook add-ins. The main reason behind this is that the Outlook Object Model Guard triggers security alerts if it\r\ndetects access on protected objects. Outlook Security Manager allows Grandoreiro to disable these alerts during both the\r\nharvesting and spamming behavior. Depending on system architecture, the tool requires the DLL “secman.dll” or\r\n“secman64.dll” to be registered as COM servers. It then uses MAPI to interact with Outlook.\r\nThe malware begins by locating the root mailbox folder and then recursively iterates through the email items. For each\r\nemail, it checks the “SenderEmailAddress” property and runs a blocklist against it, to filter out unwanted email addresses\r\nfor harvesting:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 27 of 34\n\nEmail addresses that do not contain any of the strings above are aggregated in a text file, ZIP compressed and exfiltrated.\r\nIn addition to the harvesting process above, Grandoreiro also supports adding a PST file to Outlook first via the\r\nNamespace.AddStore() function. Another supported harvesting mechanism recursively goes through the victim’s file system\r\nand scans files for email addresses. Files with the following extensions are opened and scanned:\r\n“*.txt”, “*.csv”, “*.html”, “*.xml”, “*.dat”, “*.db”, “*.sqlite”, “*.xlsx”, “*.xls”, “*.xlsm”, “*.dbf”, “*.doc”, “*.docx”, “*.docm”\r\nTo prevent unnecessary scanning, Grandoreiro maintains yet another blocklist of paths not to scan, excluding common\r\nsystem directories.\r\nSpamming\r\nTo send out spam emails, Grandoreiro uses phishing templates which it receives from its C2 server. It then goes through the\r\ntemplate and fills out placeholder fields such as:\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 28 of 34\n\n$replyto → the Reply-to value\r\n$link → a link to the payload\r\n$hora → formatted current time\r\n$data → formatted current date\r\n$email_destino → destination address\r\n$valor → A randomly generated float value such as “123,45.67”, likely used to create random invoice values\r\n$letnum_rand_branco → random string of capital letters and digits, pasted into the email HTML between white font\r\ntags “\u003cfont style=”color: white;”\u003e”. Use unknown.\r\n$assunto → email subject\r\n$nome_saudacao → name and greeting\r\n$nome_empresa → company name\r\n$link_imagem → link to image, likely to support company logos, signatures or banners\r\nJust before beginning to send out emails, Grandoreiro starts a thread to detect any appearing dialog boxes and click them\r\naway by sending specific TAB and SPACEBAR key presses. After sending out the emails, the malware carefully covers its\r\ntracks by deleting the sent messages from the victim’s mailbox. Also, for a lot of the harvesting and spamming behavior\r\nGrandoreiro makes sure that the last input on the infected machine is at least 5min ago (or in some cases longer). The\r\ndevelopers likely wanted to make sure victims would not notice any suspicious behavior.\r\nDuring spamming, Grandoreiro reports back the following status messages:\r\nPRONTO (“Ready”)\r\nEM_REPOUSO (“In rest”)\r\nDISPARANDO (“Firing”)\r\nENVIO_PAUSADO (“Sending paused”)\r\nSEM_CONTA_DISPONIVEL (“No account available”)\r\nMAX_ERROS (“Maximum errors”)\r\nString encryption\r\nWith Grandoreiro being such an extensively large malware, it requires a huge amount of strings, which would make\r\ndetection very easy if they were left unencrypted. Grandoreiro features more than 10k strings dispersed among more than a\r\nhundred feature-specific string-loading functions. The decryption mechanism differs slightly from the loader’s string\r\ndecryption:\r\nIt uses the same Grandoreiro key as the loader, which it decrypts via its custom encryption and the key “A”. Once it has the\r\nkey, it custom-decodes the encrypted string using the same encoding as the loader and then decrypts the resulting bytes via\r\nAES ECB mode using the ElAES Pascal implementation. The AES key is a scrambled version of the previously decrypted\r\nGrandoreiro key. After another round of custom decoding, the string is finally decrypted via the old Grandoreiro algorithm\r\nand the Grandoreiro key.\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 29 of 34\n\nFig 15: Grandoreiro banking trojan string decryption\r\nConclusion\r\nX-Force observed several recent phishing campaigns impersonating official government entities to deliver the Grandoreiro\r\nbanking trojan. Grandoreiro distributors typically target users in Latin America; however, since the latest law enforcement\r\naction against Grandoreiro operators, X-Force has observed the malware being spread outside of LATAM to include regions\r\nin Central and South America, Africa, Europe, and the Pacific. The Grandoreiro banking trojan samples that X-Force has\r\nanalyzed have undergone major updates within the string decryption and DGA Calculation algorithms. These newly\r\nanalyzed samples now include a vast number of at least 1500 global banking applications to target, which support execution\r\nand enable attackers to perform banking fraud in over 60 countries. The updates made to the malware, in addition to the\r\nsignificant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to\r\nconduct campaigns and deliver malware on a global scale.\r\nWe encourage organizations that may be impacted by these campaigns to review the following recommendations:\r\nExercise caution with emails and PDFs prompting a file download\r\nMonitor network traffic for multiple consecutive requests to https://ip-api.com/json as a potential indicator of a\r\nGrandoreiro infection\r\nConsider blocking pre-calculated DGA domains via DNS\r\nMonitor registry Run keys used for persistence\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 30 of 34\n\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nInstall and configure endpoint security software\r\nUpdate relevant network security monitoring rules\r\nEducate staff on the potential threats to the organization\r\nIndicators of Compromise (IOCs)\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\nroot@yhsp\u003ctwo digit number\u003e.rufnag.com\r\nEmail\r\nAddress\r\nEmail Sender\r\nhxxps[:]//pjohconstruccionescpaz[.]com/?8205-\r\n23069071\u0026tokenValue=\r\n92b768ccface4e96cee662517800b208f88ff796\r\nURL\r\nMalicious Archive Download\r\nLink\r\n97f3c0beef87b993be321b5af3bf748cc8e003e\r\n6e90cf5febf69dfd81e85f581\r\nSHA256 ZIP Archive\r\nafd53240a591daf50f556ca952278cf098dbc5\r\nb6c2b16c3e46ab5a0b167afb40\r\nSHA256 ZIP Archive\r\nf8f2c7020b2d38c806b5911acb373578cbd69\r\n612cbe7f21f172550f4b5d02fdb\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\n10b498562aef754156e2b540754bf1ccf9a9cb\r\n62c732bf9b661746dd08c67bd1\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\naviso.\u003cfour digit number\u003e@cfe.mx \r\nEmail\r\nAddress\r\nEmail Sender\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 31 of 34\n\nhxxps[:]//hilcfacdigitaelpichipt[.]norwayeast[.]cloudapp\r\n.azure[.]com/?docs/pdf/15540f02-d006-4e3b-b2de-6873baff3b2a\r\nURL\r\nMalicious Archive Download\r\nLink\r\n55426bb348977496189cc6a61b711a3aadde\r\n155772a650ef17fba1f653431965\r\nSHA256 ZIP Archive\r\narq_@other.com.\u003cfour digit number\u003e \r\nEmail\r\nAddress\r\nEmail Sender\r\nroot@\u003c6 alpha-numeric value\u003e.rufnag.com\r\nEmail\r\nAddress\r\nEmail Sender\r\nbfcd71a4095c2e81e2681aaf0239436368bc2\r\nebddae7fdc8bb486ffc1040602c\r\nSHA256 ZIP Archive\r\n3f920619470488b8c1fda4bb82803f72205\r\nb18b1ea31402b461a0b8fe737d6bd\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\n84572c0de71bce332eb9fa03fd34243326\r\n3ad0c4f95dd3acd86d1207fa7d23f0\r\nSHA256 Grandoreiro\r\nhxxps[:]//pjohconstruccionescpaz[.]com?docs/xml\r\n/WCA161006TN9/15540f02-d006-4e3b-b2de-6873baff3b2a\r\nURL\r\nMalicious Archive Download\r\nLink\r\n29f19d9cd8fe38081a2fde66fb2e1eff33c\r\n4d4b5714ef5cada5cc76ec09bf2fa\r\nSHA256 ZIP Archive\r\nhxxps[:]//onwfacttasunslahf[.]norwayeast[.]cloudapp\r\n[.]azure[.]com?_task=mail\u0026_action=get\u0026_mbox=\r\nINBOX\u0026_uid=19101\u0026_token=\r\nrbrJMXNUOQvrlaWOOxGAyj7vcufaFN3r\u0026_part\r\nURL Malicious Archive Download\r\nLink\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 32 of 34\n\n=1.2.3\u0026_embed=1\u0026_mimeclass=image\r\n2ab8c3a1a7fe14a49084fbf42bbdd04d63\r\n79e6ae2c74d801616e2b9cf8c8519c\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\nhxxps[:]//servicerevenueza[.]southeastasi\r\na[.]cloudapp.azure[.]com/?PDF-XML-71348793\r\nURL\r\nMalicious Archive Download\r\nLink\r\nroot[@]zpmbnoxf[.]crazydocuments[.]com\r\nEmail\r\nAddress\r\nEmail Sender\r\nd005abe0a29b53c5995a10ce540cc2ff\r\nbe96e7f80bf43206d4db7921b6d6aa10\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\n70f22917ec1fa3a764e21f16d68af80b69\r\n7fb9d0eb4f9cd6537393b622906908\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\nfb3d843d35c66f76b1b1b88260ad2009\r\n6e118ef44fd94137dbe394f53c1b8a46\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\n6772d2425b5a169aca824de3ff2aac400\r\nfa64c3edd93faaabd17d9c721d996c1\r\nSHA256\r\nGrandoreiro Loader\r\nComponent\r\ngruposat@gob.mx \r\nEmail\r\nAddress\r\nEmail Sender\r\nmarcasat@gob.mx \r\nEmail\r\nAddress\r\nEmail Sender\r\nassistance@gov.za\r\nEmail\r\nAddress\r\nEmail Sender\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 33 of 34\n\nhxxps[:]//officebusinessaccount[.]eastus[.]cloudapp\r\n[.]azure[.]com/?PDF-XML-\u003ceight digit number\u003e\r\nURL\r\nMalicious Archive Download\r\nLink\r\nhxxps[:]//servicerevenueza[.]southeastasia[.]\r\ncloudapp[.]azure[.]com/?PDF-XML-\u003ceight digit number\u003e\r\nURL\r\nMalicious Archive Download\r\nLink\r\n 18.231.181[.]227 IPv4 Grandoreiro C2 server\r\n18.231.158[.]159 IPv4 Grandoreiro C2 server\r\n15.229.211[.]175 IPv4 Grandoreiro C2 server\r\n15.228.245[.]103\r\nSource: https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nhttps://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/\r\nPage 34 of 34\n\n https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/ \nX-Force was able to confirm at least 4 of the domains did resolve on that day to Brazil-based IPs:\n Page 22 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/" ], "report_names": [ "grandoreiro-banking-trojan-unleashed" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434674, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/646f04485d327e6f2760ac6a6ef8d245dd03e9a1.pdf", "text": "https://archive.orkl.eu/646f04485d327e6f2760ac6a6ef8d245dd03e9a1.txt", "img": "https://archive.orkl.eu/646f04485d327e6f2760ac6a6ef8d245dd03e9a1.jpg" } }