Malware analysis

Grandoreiro malware: what it is, how it works and how to prevent it | Malware spotlight

Introduction

One of the few things that attracts the attention of malware researchers more than novel types of malware is malware that expands its attack horizon to new areas of the globe. Couple this with the use of a relatively unfamiliar method to steal from online banking customers and you have yourself a malware that you are bound to hear about, to say the least. 

This article will detail Grandoreiro. We’ll explore what it is, how it works and how you can prevent yourself from becoming another statistic in the fight against malware.

What is Grandoreiro?

Written in the Delphi programming language, Grandoreiro is a remote overlay banking Trojan that has earned a name for itself for its ability to steal from online banking customers and has been active since at least 2017. 

Remote overlay banking Trojans are designed to allow attackers to overtake devices. This often involves displaying overlay images (full screen) on victim’s computers when they access their banking account online. While this type of banking Trojan does not get much coverage in malware news, remote overlay banking Trojans can be quite devastating, as they allow attackers to fraudulently transfer money from a victim’s online bank account to the attacker during the victim’s online banking session. 

There is a wide variety of remote overlay banking Trojans out there today. Despite using similar code, they differ in their respective deployment methods and infection mechanisms.

In the case of Grandoreiro, whenever a user on an infected computer visits a targeted banking website, attackers will begin making fraudulent transfers out of the account that the user signed in to.

Attacks by this type of malware have been the scourge of online banking customers in Latin America since around 2014, and it is generally considered the top online banking threat in the region. Grandoreiro was originally discovered targeting online banking customers in Brazil in 2017 and eventually expanded to include Peru and Mexico. As of April of 2020, Grandoreiro has expanded the list of countries it attacks to include Spain, making it a global threat. 

What’s more, this malware has exhibited a substantial ability to capitalize on current events in the world to make itself more likely to infect computers. Once mostly limited to being spread via malspam campaigns, attackers have recently been capitalizing on the COVID-19 crisis by using malicious videos with titles referring to the virus in phishing campaigns. Instead of getting an expected glimpse into COVID-19 in China, users that download the attachment download Grandoreiro malware instead. This means that Grandoreiro is expanding its reach with greater reliance upon different delivery methods and reinforcing the general trend of malware exploiting the virus.

How does Grandoreiro work?

Grandoreiro enters the first stage of infection when the user clicks on the malicious URL and the loader is downloaded. The next stage of infection involves retrieval of the Grandoreiro payload via a URL written into the loader’s code. 

Once the infection phases are complete, Grandoreiro collects the following information from the infected computer:

• Username
• Computer name
• Bit number (32 or 64) and operating system version
• List of installed AV or security product
• The presence of Diebold Warsaw GAS Tecnologia, a popular online banking protection application in Brazil

Grandoreiro has credential-stealing capabilities in some versions in Google Chrome. It will set up a fake Google Chrome extension called Edit This Cookie, which is suspected of supporting Grandoreiro’s information stealing capabilities by grabbing user cookies to steal user information and allowing the attacker to ride the user’s active session. This means that the attacker does not need to control the computer from this point.

Whenever a user of an infected computer visits a targeted banking website, Grandoreiro will take over the online banking session and make fraudulent transfers to accounts controlled by the attackers. Although this is the jewel in the crown of the attack, Grandoreiro has other capabilities and tools, including keylogging, self-updating, keyboard and mouse simulation and a backdoor with expansive capabilities.

How to prevent Grandoreiro

Grandoreiro can be prevented using good cybersecurity sense. Do not click on videos on suspicious websites. Be mindful that these videos may try to bait you by referring to the COVID-19 (or any other contemporary) crisis. If you do not know who the sender of an email is, do not download attachments or click on any links with unknown URLs. When in doubt, contact the supposed sender through a different channel and confirm whether it is legitimate.

Many common security products can spot and/or stop the malware from infecting your computer. While this may be so, the first and best line of defense against malware like Grandoreiro is a user with cybersecurity awareness. This is because it takes user interaction to initiate infection.

Conclusion

Grandoreiro is a remote overlay banking Trojan that has expanded its global scope of attack to include Spain. Researchers have observed the malware using references to the COVID-19 crisis in a way that plays on the interest level of the public about this sensitive topic. Make sure to keep your cyber-awareness sharp during this time of COVID-19, as more malware has been using this insidious tactic.

 

Sources

1. Researchers Spot Banking Trojan Using #COVID19 Crisis to Attack Users, Infosecurity Magazine
2. Overlay Malware Leverages Chrome Browser, Targets Banks and Heads to Spain, Threat Post
3. Grandoreiro: How engorged can an EXE get?, We Live Security
4. Grandoreiro Malware Now Targeting Banks in Spain, Security Intelligence