{
	"id": "0dd14f9d-d45b-4343-a50b-ba7a96c60451",
	"created_at": "2026-04-06T00:13:55.754399Z",
	"updated_at": "2026-04-10T13:12:56.578229Z",
	"deleted_at": null,
	"sha1_hash": "aca6fb2c94529b61f243a1927a65405197e59a52",
	"title": "ESET takes part in global operation to disrupt the Grandoreiro banking trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 537970,
	"plain_text": "ESET takes part in global operation to disrupt the Grandoreiro banking\r\ntrojan\r\nBy ESET Research\r\nArchived: 2026-04-02 11:35:41 UTC\r\nESET has collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed\r\nto the project by providing technical analysis, statistical information, and known command and control (C\u0026C) server\r\ndomain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able\r\nto get a glimpse into the victimology.\r\nESET automated systems have processed tens of thousands of Grandoreiro samples. The domain generation algorithm\r\n(DGA) the malware has used since around October 2020 produces one main domain, and optionally several failsafe\r\ndomains, per day. The DGA is the only way Grandoreiro knows how to report to a C\u0026C server. Besides the current date, the\r\nDGA accepts static configuration as well – we have observed 105 such configurations as of this writing.\r\nGrandoreiro’s operators have abused cloud providers such as Azure and AWS to host their network infrastructure. ESET\r\nresearchers provided data crucial to identifying the accounts responsible for setting up these servers. Further investigation\r\nperformed by the Federal Police of Brazil led to the identification and arrest of the individuals in control of these servers. In\r\nthis blogpost, we look at how we obtained the data to assist law enforcement to execute this disruption operation.\r\nBackground\r\nGrandoreiro is one of many Latin American banking trojans. It has been active since at least 2017 and ESET researchers\r\nhave been closely tracking it ever since. Grandoreiro targets Brazil and Mexico, and since 2019 Spain as well (see Figure 1).\r\nWhile Spain was the most targeted country between 2020 and 2022, in 2023 we observed a clear switch of focus towards\r\nMexico and Argentina, the latter being new to Grandoreiro.\r\nFigure 1. Grandoreiro detection rate (data since January 2020)\r\nFunctionality-wise, Grandoreiro hasn’t changed very much since our last blogpost in 2020. We offer a brief overview of the\r\nmalware in this section and dive into the few changes, mainly new DGA logic, later.\r\nWhen a Latin American banking trojan successfully compromises a machine, it usually issues an HTTP GET request to a\r\nremote server, sending some basic information about the compromised machine. While older Grandoreiro builds\r\nimplemented this feature, over time, the developers decided to drop it.\r\nGrandoreiro periodically monitors the foreground window to find one that belongs to a web browser process. When such a\r\nwindow is found and its name matches any string from a hardcoded list of bank-related strings, then and only then the\r\nmalware initiates communication with its C\u0026C server, sending requests at least once a second until terminated.\r\nThe operator has to interact manually with the compromised machine in order to steal a victim’s money. The malware\r\nallows:\r\nblocking the screen of the victim,\r\nlogging keystrokes,\r\nsimulating mouse and keyboard activity,\r\nsharing the victim’s screen, and\r\ndisplaying fake pop-up windows.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 1 of 13\n\nGrandoreiro undergoes rapid and constant development. Occasionally, we even saw several new builds a week, making it\r\ndifficult to keep track. To demonstrate, in February 2022, Grandoreiro’s operators added a version identifier to the binaries.\r\nIn Figure 2 we show how quickly the version identifier changed. On average, it was a new version every four days between\r\nFebruary 2022 and June 2022. In the month-long gap between May 24th, 2022 and June 22nd, 2022 we continued to see new\r\nsamples with progressing PE compilation times, but they lacked the version identifier. On June 27th, 2022 the version\r\nidentifier changed to V37 and we haven’t seen it change since then, leaving us to conclude that this feature was dropped.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 2 of 13\n\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 3 of 13\n\nFigure 2. Grandoreiro version history between February and June 2022\r\nLatin American banking trojans share a lot of commonalities. Grandoreiro is similar to other Latin American banking trojans\r\nmainly by the obvious core functionality and in bundling its downloaders within MSI installers. In the past, we have\r\nobserved a few cases where its downloaders were shared with Mekotio and Vadokrist, though not in the last two years. The\r\nGrandoreiro banking trojan’s main distinction from the other families had been its unique binary padding mechanism that\r\nmassively engorges the final executable (described in our blogpost in 2020). Over time, Grandoreiro’s operators added this\r\nanti-analysis technique to its downloaders as well. To our surprise, in Q3 2023, this feature was completely dropped from\r\nthe banking trojan and downloader binaries and we haven’t observed it since.\r\nSince February 2022, we have been tracking a second variant of Grandoreiro that differs significantly from the main one.\r\nWe saw it, in small campaigns, in March, May, and June 2022. Based on the vast majority of its C\u0026C server domains not\r\nresolving, its core features changing quite often, and its network protocol not functioning properly, we strongly believe it is a\r\nwork in progress; hence we will focus on the main variant in this blogpost.\r\nGrandoreiro long-term tracking\r\nESET systems designed for automated, long-term tracking of selected malware families have been monitoring Grandoreiro\r\nsince the end of 2017, extracting version information, C\u0026C servers, targets and, since the end of 2020, DGA configurations.\r\nDGA tracking\r\nThe DGA configuration is hardcoded in the Grandoreiro binary. Each configuration can be referred to by a string we call\r\ndga_id. Using different configurations for the DGA yields different domains. We dive deeper into the DGA mechanism later\r\nin the text.\r\nESET has extracted a total of 105 different dga_ids from the Grandoreiro samples known to us. 79 of these configurations at\r\nleast once generated a domain that resolved to an active C\u0026C server IP address during the course of our tracking.\r\nThe generated domains are registered via No-IP’s Dynamic DNS service (DDNS). Grandoreiro’s operators abuse the service\r\nto frequently change their domains to correspond with the DGA and to change IP addresses at will. The vast majority of the\r\nIP addresses these domains resolve to are provided by cloud providers, mainly AWS and Azure. Table 1 illustrates some\r\nstatistics about IP addresses used for Grandoreiro C\u0026C servers.\r\nTable 1. Statistical information about Grandoreiro C\u0026C IP addresses since we started our tracking\r\nInformation Average Minimum Maximum\r\nNumber of new C\u0026C IP addresses per day 3 1 34\r\nNumber of active C\u0026C IP addresses per day 13 1 27\r\nLifespan of C\u0026C IP address (in days) 5 1 425\r\nVery soon after we began to track the generated domains and their associated IP addresses, we started to notice that many\r\ndomains generated by DGAs with different configurations resolve to the same IP address (as illustrated in Figure 3). This\r\nmeans that on a given day, victims compromised by Grandoreiro samples with different dga_id all connected to the same\r\nC\u0026C server. This phenomenon was no coincidence – we observed it almost on a daily basis during our tracking.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 4 of 13\n\nFigure 3. Schema of an IP overlap in two different Grandoreiro DGA configurations\r\nOn much rarer occasions, we have also observed an IP address being reused by a different dga_id a few days later. Only this\r\ntime, the parameters Grandoreiro used to establish a connection (explained later in the text) changed as well. This means\r\nthat, in the meantime, the C\u0026C server side must have been reinstalled or reconfigured.\r\nOur initial assumption was that the dga_id is unique for each DGA configuration. This later proved to be incorrect – we have\r\nobserved two sets of different configurations sharing the same dga_id. Table 2 shows both of them, “jjk” and “gh”, where\r\n“jjk” and “jjk(2)” correspond to two different DGA configurations, same as “gh” and “gh(2)”.\r\nTable 2 shows the clusters we were able to observe. All DGA configurations that shared at least one IP address are in the\r\nsame cluster and their associated dga_ids are listed. Clusters that account for less than 1% of all victims are disregarded.\r\nTable 2. Grandoreiro DGA clusters\r\nCluster ID dga_id list\r\nCluster\r\nsize\r\n% of all\r\nC\u0026C servers\r\n% of all\r\nvictims\r\n1\r\nb, bbh, bbj, bbn, bhg, cfb, cm, cob, cwe, dee, dnv, dvg, dzr,\r\nE, eeo, eri, ess, fhg, fox, gh, gh(2), hjo, ika, jam, jjk, jjk(2),\r\nJKM, jpy, k, kcy, kWn, md7, md9, MRx, mtb, n, Nkk, nsw,\r\nnuu, occ, p, PCV, pif, rfg, rox3, s, sdd, sdg, sop, tkk, twr, tyj,\r\nu, ur4, vfg, vgy, vki, wtt, ykl, Z, zaf, zhf\r\n62 93.6% 94%\r\n2 jl2, jly 2 2.4% 2.5%\r\n3 ibr 1 0.8% 1.6%\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 5 of 13\n\nCluster ID dga_id list\r\nCluster\r\nsize\r\n% of all\r\nC\u0026C servers\r\n% of all\r\nvictims\r\n4 JYY 1 1.6% 1.1%\r\nThe biggest cluster contains 78% of all active dga_ids. It is responsible for 93.6% of all C\u0026C server IP addresses and 94%\r\nof all victims we’ve seen. The only other cluster consisting of more than 1 dga_id is cluster 2.\r\nSome sources claim that Grandoreiro operates as malware-as-a-service (MaaS). The Grandoreiro C\u0026C server backend does\r\nnot allow simultaneous activity of more than one operator at once. Based on Table 2, the vast majority of DGA-produced IP\r\naddresses can be clustered together with no clear distribution pattern. Finally, considering the network protocol’s heavy\r\nbandwidth requirements (we dive into that at the end of the blogpost), we believe that the different C\u0026C servers are used as\r\na primitive load-balancing system and that it is more likely that Grandoreiro is operated by a single group or by a few groups\r\nclosely cooperating with one another.\r\nC\u0026C tracking\r\nGrandoreiro’s implementation of its network protocol allowed ESET researchers to take a peek behind the curtain and get a\r\nglimpse of the victimology. Grandoreiro C\u0026C servers give away information about the connected victims at the time of the\r\ninitial request to each newly connected victim. That said, the data is biased by the number of requests, their intervals, and\r\nthe validity of the data provided by the C\u0026C servers.\r\nEach victim connected to the Grandoreiro C\u0026C server is identified by a login_string – a string Grandoreiro constructs upon\r\nestablishing the connection. Different builds use different formats and different formats contain different information. We\r\nsummarize the information that can be obtained from the login_string in Table 3. The Occurrence column shows a\r\npercentage of all the formats we’ve seen that hold the corresponding kind of information.\r\nTable 3. Overview of information that can be obtained from a Grandoreiro victim’s login_string\r\nInformation Occurrence Description\r\nOperating\r\nsystem\r\n100% OS of victim’s machine.\r\nComputer name 100% Name of victim’s machine.\r\nCountry 100% Country that the Grandoreiro sample targets (hardcoded in the malware sample).\r\nVersion 100% Version (version_string) of the Grandoreiro sample.\r\nBank codename 92%\r\nCodename of the bank that triggered the C\u0026C connection (assigned by\r\nGrandoreiro’s developers).\r\nUptime 25% Time (in hours) that the victim’s machine has been running.\r\nScreen\r\nresolution\r\n8% Screen resolution of the victim’s main monitor.\r\nUsername 8% Username of the victim.\r\nThree of the fields deserve a closer explanation. Country is a string hardcoded in the Grandoreiro binary rather than\r\ninformation obtained via appropriate services. Therefore, it serves more like an intended country of the victim.\r\nBank codename is a string Grandoreiro’s developers associated with a certain bank or other financial institution. The victim\r\nvisited that bank’s website, which triggered the C\u0026C connection.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 6 of 13\n\nThe version_string is a string identifying a specific Grandoreiro build. It is hardcoded in the malware and holds a string that\r\nidentifies a specific build series, a version (which we already talked about in the introduction), and a timestamp. Table 4\r\nillustrates the different formats and the information they hold. Notice that some of the timestamps contain only month and\r\nday, while others contain the year as well.\r\nTable 4. List of different version_string formats and their parsing\r\nVersion string Build ID Version Timestamp\r\nDANILO DANILO N/A N/A\r\n(V37)(P1X)1207 P1X V37 12/07\r\n(MX)2006 MX N/A 20/06\r\nfox50.28102020 fox50 N/A 28/10/2020\r\nMADMX(RELOAD)EMAIL2607 MADMX(RELOAD)EMAIL N/A 26/07\r\nOne may be tempted to say that the Build ID actually identifies the operator. However, we don’t think that is the case. The\r\nformat of this string is very chaotic, sometimes it refers only to a month in which the binary probably was built (like\r\n(AGOSTO)2708). Additionally, we strongly believe that P1X refers to a console used by Grandoreiro operator(s) called\r\nPIXLOGGER.\r\nC\u0026C server tracking – findings\r\nIn this section, we focus on what we’ve found by querying the C\u0026C servers. All the statistical data listed in this section has\r\nbeen obtained directly from Grandoreiro C\u0026C servers, not from ESET telemetry.\r\nOld samples are still active\r\nEach login_string we observed contains the version_string and the vast majority of those contain the timestamp information\r\n(see Table 3 and Table 4). While a lot of them contain only day and month, as seems to be the developer’s choice\r\noccassionally, the oldest communicating sample was timestamped 15/09/2020 – that is from the time this DGA was first\r\nintroduced to Grandoreiro. The most recent sample was timestamped 12/23/2023.\r\nOperating system distribution\r\nSince all of the login_string formats contain OS information, we can paint an accurate picture of what operating systems fell\r\nvictim, as illustrated in Figure 4.\r\nFigure 4. Operating system distribution among Grandoreiro victims\r\n(Intended) country distribution\r\nWe already mentioned that Grandoreiro uses a hardcoded value instead of querying a service to obtain the country of the\r\nvictim. Figure 5 shows the distribution that we have observed.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 7 of 13\n\nFigure 5. (Intended) country codes distribution among Grandoreiro victims\r\nThis distribution is to be expected of Grandoreiro. Interestingly, it does not correlate with the heatmap depicted in Figure 1.\r\nThe most logical explanation is that the builds are not marked properly to resemble their intended targets. For example, the\r\nincrease in attacks in Argentina is not reflected at all by the hardcoded marking. Brazil accounts for almost 41% of all\r\nvictims, followed by Mexico with 30% and Spain with 28%. Argentina, Portugal, and Peru account for less than 1%.\r\nInterestingly, we have seen a few (fewer than 10) victims marked as PM (Saint Pierre and Miquelon), GR (Greece), or FR\r\n(France). We believe those are either typos or have other meanings rather than aiming at those countries.\r\nAlso note that while Grandoreiro added targets from many countries outside of Latin America as early as 2020, we have\r\nobserved few to no campaigns targeting those countries and Figure 5 supports this.\r\nNumber of victims\r\nWe have observed that the average number of victims connected in a day is 563. However, this number certainly contains\r\nduplicates, because if a victim stays connected for a long time, which we’ve observed is often the case, then the Grandoreiro\r\nC\u0026C server will report it on multiple requests.\r\nTrying to address this issue, we defined a unique victim as one with a unique set of identifying characteristics (like computer\r\nname, username, etc.) while omitting those that are subject to change (like uptime). With that, we ended up with 551 unique\r\nvictims connected in a day on average.\r\nTaking into account that we have observed victims who were connecting to the C\u0026C servers constantly for over a year’s\r\nperiod, we calculated an average number of 114 new unique victims connecting to the C\u0026C servers each day. We came to\r\nthis number by disregarding unique victims that we have already observed before.\r\nGrandoreiro internals\r\nLet us focus, in depth, on the two most crucial features of Grandoreiro: the DGA and the network protocol.\r\nDGA\r\nGrandoreiro’s operators have implemented several kinds of DGAs over the years, with the most recent one appearing in July\r\n2020. While we noticed a few minor changes, the core of the algorithm hasn’t change since.\r\nThe DGA utilizes a specific configuration that is hardcoded in the binary, stored as multiple strings. Figure 6 displays one\r\nsuch configuration (with dga_id “bbj”), reformatted in JSON for better readability.\r\nFigure 6. Grandoreiro DGA configuration, reformatted in JSON\r\nIn the vast majority of cases, the base_domain field is freedynamicdns.org or zapto.org. As already mentioned, Grandoreiro\r\nutilizes No-IP for its domain registration. The base64_alpha field corresponds to the custom base64 alphabet the DGA uses.\r\nThe month_substitution is used to substitute a month number for a character.\r\nThe dga_table forms the main part of the configuration. It consists of 12 strings, each with 35 fields delimited by |. The first\r\nentry of each line is the dga_id. The second and last entry represent the month the line is intended for. The remaining 32\r\nfields each represent a value for a different day of the month (leaving at least one field unused).\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 8 of 13\n\nThe logic of the DGA is shown in Figure 7. The algorithm first selects the correct line and the correct entry from it, treating\r\nit as a four-byte key. It then formats the current date into a string and encrypts it with the key using a simple XOR. It then\r\nprepends the dga_id to the result, encodes the result using base64 with a custom alphabet, and then removes any = padding\r\ncharacters. The final result is the subdomain that, together with base_domain, is to be used as the C\u0026C server for the current\r\nday. The part highlighted in red is a failsafe mechanism and we discuss it next.\r\nFigure 7. Grandoreiro DGA computation reimplemented in Python\r\nGrandoreiro has implemented, in some builds, a failsafe mechanism for when the main domain fails to resolve. This\r\nmechanism is not present in all builds and its logic has changed a few times, but the basic idea is illustrated in Figure 7. It\r\nuses a configuration that is constant in the samples we analyzed and can be generated by the simple code shown in Figure 8.\r\nEach entry consists of a key, a prefix, and a base domain.\r\nThe failsafe algorithm takes a part of the main C\u0026C subdomain. It then iterates over all configuration entries, encrypts it\r\nusing XOR and prepends a prefix, similar to the main algorithm part.\r\nFigure 8. Failsafe DGA configuration generator reimplemented in Python\r\nSince September 2022, we have started to observe samples that utilize a slightly modified DGA. The algorithm remains\r\nalmost identical, but rather than base64 encoding the subdomain in the final step, a hardcoded prefix is prepended to it.\r\nBased on our tracking, this method has become the dominant one since approximately July 2023.\r\nNetwork protocol\r\nGrandoreiro utilizes RTC Portal, a set of Delphi components built on top of the RealThinClient SDK which is built on top of\r\nHTTP(S). The RTC Portal was discontinued in 2017 and its source code published on GitHub. Essentially, RTC Portal\r\nallows one or more Controls to remotely access one or more Hosts. Hosts and Controls are separated by a mediator\r\ncomponent called Gateway.\r\nGrandoreiro operators use a console (acting as the Control) to connect to the C\u0026C server (acting as Gateway) and to\r\ncommunicate with the compromised machines (acting as Hosts). To connect to Gateway, three parameters are required: a\r\nsecret key, the key length, and a login.\r\nThe secret key is used to encrypt the initial request sent to the server. Therefore, the server also needs to know the secret key\r\nso as to decrypt the initial client request.\r\nThe key length determines the length of the keys to encrypt the traffic, established during the handshake. The traffic is\r\nencrypted using a custom stream cipher. Two different keys are established – one for inbound and one for outbound traffic.\r\nThe login can be any string. The Gateway requires each connected component to have a unique login.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 9 of 13\n\nGrandoreiro uses two different combinations of secret key and key length values, always hardcoded in the binary, and we\r\nalready discussed the login_string that is used as the login.\r\nThe RTC documentation states that it can only handle a limited number of connections at once. Considering that each\r\nconnected Host needs to send at least one request per second or else its connection is dropped, we believe that the reason\r\nGrandoreiro utilizes multiple C\u0026C servers is an attempt not to overwhelm any one of them.\r\nConclusion\r\nIn this blogpost, we have provided a peek behind the curtain of our long-term tracking of Grandoreiro that helped to make\r\nthis disruption operation possible. We have described in depth how Grandoreiro’s DGA works, how many different\r\nconfigurations exist simultaneously, and how we were able to spot many IP address overlaps among them.\r\nWe have also provided statistical information obtained from the C\u0026C servers. This information provides an excellent\r\noverview of the victimology and targeting, while also allowing us to see the actual level of impact.\r\nThe disruption operation led by the Federal Police of Brazil aimed at individuals who are believed to be high up in the\r\nGrandoreiro operation hierarchy. ESET will continue to track other Latin American banking trojans while closely\r\nmonitoring for any Grandoreiro activity following this disruption operation.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Descriptio\r\nFB32344292AB36080F2D040294F17D39F8B4F3A8 Notif.FEL.RHKVYIIPFVBCGQJPOQÃ.msi Win32/Spy.Grandoreiro.DB MSI down\r\n08C7453BD36DE1B9E0D921D45AEF6D393659FDF5\r\nRYCB79H7B-7DVH76Y3-67DVHC6T20-\r\nCH377DFHVO-6264704.msi\r\nWin32/Spy.Grandoreiro.DB MSI down\r\nA99A72D323AB5911ADA7762FBC725665AE01FDF9 pcre.dll Win32/Spy.Grandoreiro.BM Grandoreir\r\n4CDF7883C8A0A83EB381E935CD95A288505AA8B8 iconv.dll Win32/Spy.Grandoreiro.BM Grandoreir\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n20.237.166[.]161 DGA‑generated Azure 2024‑01‑12 C\u0026C server.\r\n20.120.249[.]43 DGA‑generated Azure 2024‑01‑16 C\u0026C server.\r\n52.161.154[.]239 DGA‑generated Azure 2024‑01‑18 C\u0026C server.\r\n167.114.138[.]249 DGA‑generated OVH 2024‑01‑02 C\u0026C server.\r\n66.70.160[.]251 DGA‑generated OVH 2024‑01‑05 C\u0026C server.\r\n167.114.4[.]175 DGA‑generated OVH 2024‑01‑09 C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 10 of 13\n\nIP Domain Hosting provider First seen Details\r\n18.215.238[.]53 DGA‑generated AWS 2024‑01‑03 C\u0026C server.\r\n54.219.169[.]167 DGA‑generated AWS 2024‑01‑09 C\u0026C server.\r\n3.144.135[.]247 DGA‑generated AWS 2024‑01‑12 C\u0026C server.\r\n77.246.96[.]204 DGA‑generated VDSina 2024‑01‑11 C\u0026C server.\r\n185.228.72[.]38 DGA‑generated Master da Web 2024‑01‑02 C\u0026C server.\r\n62.84.100[.]225 N/A VDSina 2024‑01‑18 Distribution server.\r\n20.151.89[.]252 N/A Azure 2024‑01‑10 Distribution server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001 Develop Capabilities: Malware\r\nGrandoreiro developers develop their own\r\ncustom downloaders.\r\nInitial Access T1566 Phishing Grandoreiro spreads through phishing emails.\r\nExecution T1204.002 User Execution: Malicious File\r\nGrandoreiro pressures victims to manually\r\nexecute the phishing attachment.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nGrandoreiro uses the standard Autostart\r\nlocations for persistence.\r\nT1574.001\r\nHijack Execution Flow: DLL\r\nSearch Order Hijacking\r\nGrandoreiro is executed by compromising the\r\nDLL search order.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nGrandoreiro is often distributed in password-protected ZIP archives.\r\nT1027.001\r\nObfuscated Files or Information:\r\nBinary Padding\r\nGrandoreiro EXEs used to have enlarged .rsrc\r\nsections with large BMP images.\r\nT1218.007\r\nSystem Binary Proxy Execution:\r\nMsiexec\r\nGrandoreiro downloaders are bundled inside\r\nMSI installers.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1112 Modify Registry\r\nGrandoreiro stores part of its configuration data\r\nin the Windows registry.\r\nDiscovery\r\nT1010 Application Window Discovery\r\nGrandoreiro discovers online banking websites\r\nbased on window names.\r\nT1057 Process Discovery\r\nGrandoreiro discovers security tools based on\r\nprocess names.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nGrandoreiro detects the presence of banking\r\nprotection products.\r\nT1082 System Information Discovery\r\nGrandoreiro collects information about the\r\nvictim's machine, such as\r\n%COMPUTERNAME% and operating system.\r\nCollection\r\nT1056.002\r\nInput Capture: GUI Input\r\nCapture\r\nGrandoreiro can display fake pop-ups and\r\ncapture text typed into them.\r\nT1056.001 Input Capture: Keylogging Grandoreiro is capable of capturing keystrokes.\r\nT1114.001\r\nEmail Collection: Local Email\r\nCollection\r\nGrandoreiro’s operators developed a tool to\r\nextract email addresses from Outlook.\r\nCommand and\r\nControl\r\nT1132.002\r\nData Encoding: Non-Standard\r\nEncoding\r\nGrandoreiro uses RTC, which encrypts data\r\nwith a custom stream cipher.\r\nT1568.002\r\nDynamic Resolution: Domain\r\nGeneration Algorithms\r\nGrandoreiro relies solely on DGA to obtain\r\nC\u0026C server addresses.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nIn RTC, encryption and decryption are done\r\nusing the same key.\r\nT1571 Non-Standard Port\r\nGrandoreiro often uses non-standard ports for\r\ndistribution.\r\nT1071 Application Layer Protocol RTC is built on top of HTTP(S).\r\nExfiltration T1041 Exfiltration Over C2 Channel Grandoreiro exfiltrates data to its C\u0026C server.\r\nImpact T1529 System Shutdown/Reboot Grandoreiro can force a system reboot.\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 12 of 13\n\nSource: https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nhttps://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/\r\nPage 13 of 13\n\ndifficult to keep track. In Figure 2 we show To demonstrate, in how quickly the version February 2022, Grandoreiro’s identifier changed. operators added On average, it was a new a version identifier version every four to the binaries. days between\nFebruary 2022 and June 2022. In the month-long gap between May 24th , 2022 and June 22nd , 2022 we continued to see new\nsamples with progressing PE compilation times, but they lacked the version identifier. On June 27th , 2022 the version\nidentifier changed to V37 and we haven’t seen it change since then, leaving us to conclude that this feature was dropped.\n  Page 2 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/"
	],
	"report_names": [
		"eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aca6fb2c94529b61f243a1927a65405197e59a52.pdf",
		"text": "https://archive.orkl.eu/aca6fb2c94529b61f243a1927a65405197e59a52.txt",
		"img": "https://archive.orkl.eu/aca6fb2c94529b61f243a1927a65405197e59a52.jpg"
	}
}