Grandoreiro is a Latin American banking trojan targeting Brazil, Mexico, Spain, Peru, and has now extended to Portugal.
Cybercriminals attempt to compromise computers to generate revenue by exfiltrating information from victims’ devices, typically banking-related information. During April and May 2020, a new Grandoreiro variant was identified. This piece of malware includes improvements in the way it is operating. The threat has been disseminating via malscam campaigns, as in the past, and the name of the victim is used as a part of the malicious attachment name, as shown below.
The attached file is an HTML document that downloads the Grandoreiro’s 1st stage – a VBScript file (VBS). After that, an ISO file is downloaded from the online server, according to the target country and campaign. During this investigation, several samples were found online, specifically grouped by campaigns and countries (see Technical Analysis).
The malware modus operandi is very similar to old samples, however, this new variant brings some improvements to how it is communicating with the C2 server. After analyzing it, similarities with latenbot-C2 traffic were identified and described below (another Brazilian trojan).
Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – creating a kind of Grandoreiro botnet.
The malware is capable of collecting banking details from victims’ devices, get total control of the OS, reboot, and lockdown, windows overlay, keylogger capabilities, and performing browser interaction.
For more details about this threat see the Technical Analysis below.
The Grandoreiro malware has been distributed via malscan campaigns around the globe during Q2 2020. As can be observed during this publication, new features have been added to the new samples, including latenbot-C2 features (another Brazilian trojan – see @hasherezade analysis here), and the scope of malware was now extended to Portuguese banks.
As observed below, after submitting the sample into VirusTotal it was classified as a variant of Grandoreiro trojan, as some changes were performed by crooks to improve this piece of malware.
Figure 2: Grandoreiro variant VT sample submitted on 2020-04-24 during this investigation.
Figure 3: Possible ways that Grandoreiro distribution chains may appear (different colors show different paths the chain may take). The final ZIP archive may be encrypted and in some cases also protected by a password – credits ESET.
The malware has been distributed during April and May 2020 and has affected Portuguese users. One of the last analyzed samples (2020-05-21 – 8491a619dc6e182437bd4482d6e97e3a) is scrutinized below.
At first glance, the VBS file seems obfuscated, nonetheless, some details can be extracted such as the encoded string with the URL where the next stage is downloaded and the place where it will be executed on the target machine.
Figure 4: Grandoreiro VBS file (1st stage) obfuscated. Some details can be extracted from the code how highlighted above.
The following piece of code can be used to decode the strings hardcoded in the VBS file.
|‘ Decryptor Grandoreiro VBS 1st stage – Portugal May 2020|
|‘ @sirpedrotavares – seguranca-informatica.pt|
|‘ Sample: 8491a619dc6e182437bd4482d6e97e3a|
|Dim result, cipher, i, tmp, output|
|For i = 1 To Len(cipher)|
|tmp = Mid(cipher, i, 1)|
|tmp = Chr(Asc(tmp)+ 6)|
|result = result + tmp|
|output = result|
The decoded string is a URL pointing to a website where several samples of Grandoreiro are available. The samples are downloaded depending on the initial stage and the target country. The following URL was distributed in Portugal during April and May 2020 and described in this investigation.Encoded string: cipher=”bnnj4))+3,(,-0(+.1(+**4+3/*)Cho`nolcifm(cmi”–Decoded string: http://192.236.147.]100:1950/Inufturiols.iso
The Grandoreiro samples available on this server online were often changed by criminals as a way of bypassing AV’s detections. Based on metrics from May 20th, 1771 users were potentially infected or executed the Grandoreiro 1st stage (VBS file).
Figure 5: Metrics collected from the Grandoreiro server on May 20th, 2020. Each sample is associated with different ongoing campaigns and target countries.
In detail, the sample distributed in Portugal was downloaded 224 times (Inufturiols.iso in Figure 5). The sample was available for download between 2020-05-18 and 2020-05-22.
An interesting point is that one day after data collection, on 2020/05/21, most of the samples were removed from the server by the malware operators, but the sample targeting Portugal was kept available for the next days.
Figure 6: Metrics collected from the server on May 21st, 2020 with the Portuguese sample kept by crooks.
The threats available on the server are the same, but different samples were created by Grandoreiro operators as observed below. The samples were grouped by countries or campaigns.
Figure 7: Grandoreiro samples (ISO files) available on the server online.
The ISO files have a size range of 4MB to 7MB which is an unusual file size for image files. Theses files are an archive file that contains all the information that would be written to an optical disc. The malware is inside them and is dropped when the file is executed. This is not new, several threats have been distributed via ISO files past months (see more details in a ThreatPost publication here).
Digging into the details, when the VBS file (1st stage) is executed on the victim’s machine, the ISO file is downloaded from the server online.
Figure 8: ISO file downloaded from the server online and stored on the IE web cache.
Next, the folder “ \nvreadmm ” is created on the AppData\Roaming directory, and the zip file with the malware inside is dropped (the zip filename can be observed in Figure 4 above).
Figure 9: Zip file with the malware inside is dropped into the “AppData\Roaming\nvreadmm” folder.
When the download is done, the unzip process starts. The PE file (Grandoreiro trojan malware) is extracted into the same folder and executed.
Figure 10: Grandoreiro extracting process ~ binary with a size of 331 MB.
The final payload is a PE file written in Delphi – a Latin American banking trojan. According to ESET, “Grandoreiro has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019. “
The malware scope was extended also to Portugal now, with several Portuguese banks included in the malware operations as highlighted below.
Figure 11: List of the Portuguese banks included in the Grandoreiro version of May 2020.
A complete list of the targeted banking organizations can be found below (Grandoreiro May 2020).00CF0808 <AnsiString> 'Cecabank'00CF081C <AnsiString> 'natwest'00CF082C <AnsiString> 'SantanderUK'00CF0840 <AnsiString> 'HSBCUK'00CF0850 <AnsiString> 'Barclays'00CF0864 <AnsiString> 'BICE'00CF0874 <AnsiString> 'Ripley'00CF0884 <AnsiString> 'Bci'00CF0890 <AnsiString> 'Chile'00CF08A0 <AnsiString> 'BancoEstado'00CF08B4 <AnsiString> 'Falabella'00CF08C8 <AnsiString> 'Itaú'00CF08D8 <AnsiString> 'Santander'00CF08EC <AnsiString> 'Scotiabank'00CF0900 <AnsiString> 'PT_1'00CF8E00 <AnsiString> 'Cecabank'00CF8E14 <AnsiString> 'natwest'00CF8E24 <AnsiString> 'SantanderUK'00CF8E38 <AnsiString> 'HSBCUK'00CF8E48 <AnsiString> 'Barclays'00CF8E5C <AnsiString> 'BICE'00CF8E6C <AnsiString> 'Ripley'00CF8E7C <AnsiString> 'Bci'00CF8E88 <AnsiString> 'Chile'00CF8E98 <AnsiString> 'BancoEstado'00CF8EAC <AnsiString> 'Falabella'00CF8EC0 <AnsiString> 'Itaú'00CF8ED0 <AnsiString> 'Santander'00CF8EE4 <AnsiString> 'Scotiabank'00CF8EF8 <AnsiString> 'PT_1'00CF8F7C <AnsiString> 'EUR '00CF8F98 <AnsiString> 'TRAVALiberbank'00CF8FB0 <AnsiString> 'TRAVABBVA'00CF8FC4 <AnsiString> 'TRAVABANKIA'00CF8FD8 <AnsiString> 'TRAVAlacaixa'00CF8FF0 <AnsiString> 'TRAVASTESPANHA'00CF9008 <AnsiString> 'TRAVABLOCKCHAIN'00CF9020 <AnsiString> 'TRAVACAJARURAL'00CF9038 <AnsiString> 'TRAVASabadell'00CF9050 <AnsiString> 'TRAVABANKINTER'00CF9068 <AnsiString> 'TRAVAlabooral'00CF9080 <AnsiString> 'TRAVAcajamar'00CF9098 <AnsiString> 'TRAVAOpenbank'00CF90B0 <AnsiString> 'TRAVAING'00CF90C4 <AnsiString> 'TRAVAPichincha'00CF90DC <AnsiString> 'TRAVACaixaGeral'00CF90F4 <AnsiString> 'TRAVAMediolanum'00CF910C <AnsiString> 'TRAVAUnicaja'00CF9124 <AnsiString> 'TRAVATRIODOS'00CF913C <AnsiString> 'TRAVAACTIVOBANK'00CF9154 <AnsiString> 'TRAVACecabank'00CF916C <AnsiString> 'TRAVAACTIVOBANKPT'00CF9188 <AnsiString> 'TRAVAMONTEPIOpt'00CF91A0 <AnsiString> 'TRAVAnovobancopt'00CF91BC <AnsiString> 'TRAVAsantapt'00CF91D4 <AnsiString> 'TRAVAmillenniumbcppt'00CF91F4 <AnsiString> 'TRAVACaixadirectapt'00CF9210 <AnsiString> 'TRAVAEuroBicpt'00CF9228 <AnsiString> 'TRAVACréditoAgrícola'00CF9248 <AnsiString> 'TRAVABPI'00CF925C <AnsiString> 'TRAVAPortugalBBVA'00CF9278 <AnsiString> 'TRAVABICE'00CF928C <AnsiString> 'TRAVARipley'00CF92A0 <AnsiString> 'TRAVABci'00CF92B4 <AnsiString> 'TRAVAChile'00CF92C8 <AnsiString> 'TRAVABancoEstado'00CF92E4 <AnsiString> 'TRAVABancoFalabella'00CF9300 <AnsiString> 'TRAVAItaú'00CF9314 <AnsiString> 'TRAVASantander'00CF932C <AnsiString> 'TRAVACHILEScotiabank'00CF934C <AnsiString> 'TRAVASGLOBAL'00CF93EC <AnsiString> 'RECORTEcecabank'00CF9404 <AnsiString> 'RECORTECTIVOBANK'00CF9420 <AnsiString> 'RECORTECaixaGeral'00CF943C <AnsiString> 'RECORTEBBVA'00CF9450 <AnsiString> 'RECORTELACAIXA'00CF9468 <AnsiString> 'RECORTESTDAESPANHA'00CF9484 <AnsiString> 'RECORTEBLOCKCHAIN'00CF94A0 <AnsiString> 'RECORTECAJARURAL'00CF94BC <AnsiString> 'RECORTESabadell'00CF94D4 <AnsiString> 'RECORTEBANKINTER'00CF94F0 <AnsiString> 'RECORTElaboral'00CF9508 <AnsiString> 'RECORTEBBANKIA'00CF9520 <AnsiString> 'RECORTEcajamar'00CF9538 <AnsiString> 'RECORTELiberbank'00CF9554 <AnsiString> 'RECORTEOpenbank'00CF956C <AnsiString> 'RECORTEING'00CF9580 <AnsiString> 'RECORTEPichincha'00CF959C <AnsiString> 'RECORTEibercaja'00CF95B4 <AnsiString> 'RECORTEMediolanum'00CF95D0 <AnsiString> 'RECORTEUnicaja'00CF95E8 <AnsiString> 'RECORTETRIODOS'00CF9600 <AnsiString> 'RECORTEACTIVOBANKPT'00CF961C <AnsiString> 'RECORTEnovobancopt'00CF9638 <AnsiString> 'RECORTEMONTEPIOpt'00CF9654 <AnsiString> 'RECORTEsantapt'00CF966C <AnsiString> 'RECORTEmillenniumbcppt'00CF968C <AnsiString> 'RECORTECaixadirectapt'00CF96AC <AnsiString> 'RECORTEEuroBicpt'00CF96C8 <AnsiString> 'RECORTESCréditoAgrícola'00CF96E8 <AnsiString> 'RECORTESBPI'00CF96FC <AnsiString> 'RECORTESPortugalBBVA'00CF971C <AnsiString> 'RECORTEBICE'00CF9730 <AnsiString> 'RECORTERipley'00CF9748 <AnsiString> 'RECORTEBci'00CF975C <AnsiString> 'RECORTEChile'00CF9774 <AnsiString> 'RECORTEBancoEstado'00CF9790 <AnsiString> 'RECORTEFalabella'00CF97AC <AnsiString> 'RECORTEItaú'00CF97C0 <AnsiString> 'RECORTESantander'00CF97DC <AnsiString> 'RECORTECHILEScotiabank'00CF97FC <AnsiString> 'RECORTESGLOBAL'
As already documented by ESET, the malware has a set of capabilities:
In detail, the malware performs its tasks according to the OS installed on the infected device ( label 1 – Figure 12 ). Several Windows OS target versions can be found inside the malware, namely:
Figure 12: Grandoreiro blocks of code executed during the infection process. All the highlighted labels are described below.
Label 2 shows a call that examines the affected device and creates a folder inside \AppData\Roaming where new modules can be downloaded into and also some data about the target bank portal can be temporarily stored.
Figure 13: The malware uses some in-memory paths that will be created when the target banking portal and victims’ details are collected.
Label 3 in Figure 12 shows when the process of collecting details and browser overlay is initiated. “DetonarProcesso” Portuguese word can be translated to: “Trigger process”, in English. The malware starts here its process of collecting details about the banking portal when the victim accesses a target banking website.
In addition, label 4 and label 5 are the calls responsible for creating the overlay window that will be presented on the victims’ screen.
Finally, label 6 shows that the overlay windows is presented based on the target banking organization.
During its execution, Grandoreiro collects some details about the infected device:
SELECT * FROM AntiVirusProduct
Interesting that the malware is not executed when two computer names are found. They probably are the computer names from Grandoreiro operators/developers. This is can be seen as a potential kill switch.
Figure 14: Computer names hardcoded inside the malware.
Grandoreiro is a piece of malware that has evolved over time. It has capabilities to interact with the infected machine, receiving commands from C2, and executes them inside the machine as a simple botnet.
As described by ESET on older variants; and confirmed during this analysis; the malware is capable of:
Figure 14: Grandoreiro internal commands (left side) and browser management (right side).
The malware persistence is achieved via a registry key on Windows\CurrentVersion:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunValue: C:\Users\root\AppData\Roaming\nvreadmm\Inufturiols.exe
An interesting detail in this variant is the C2 communication. The C2 IP address can be identified below, where also the name “DANILO” is visible.
Figure 15: Grandoreiro C2 IP address.
Inside the malware and based on the web traffic analysis, it’s possible to see similarities with latenbot C2-traffic (as presented here).
Figure 16: Latenbot (2017) and Grandoreiro (2020) C2-traffic similarities.
Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – the creation of a kind of Grandoreiro botnet.
Figure 17: Grandoreiro C2-traffic.
As observed in ESET analysis, “the vast majority of Grandoreiro samples utilize a very interesting application of the binary padding technique. This technique is all about making the binaries large and we have seen it being used even by more sophisticated malware. We have also observed some other Latin American banking trojans employing it occasionally, but only in the simplest form of appending a large amount of junk at the end of the binary.
Grandoreiro chooses a different approach – a simple, yet very effective one. The resources section of the PE file is augmented by (usually 3) grande BMP images, making each binary at least 300 MB in size.”
The samples analyzed in May 2020 that target Portuguese users used the technique previously described.
Figure 18 below shows that the resources directory is big and populates part of the binary size.
Figure 18: PortEx padding analysis – Grandoreiro May 2020.
Three BMP images were specially created by Grandoreiro operators as a way of enlarging the size of binary file. Notice that the PE file size is 331 MB and 322 MB are only populated by three BMP resources (the technique used by malware operators in past samples).
Figure 19: BMP resources used by Grandoreiro malware to increase file size and to bypass AV’s detection.
During May 2020 was observed that many phishing emails targeting Portuguese users were disseminated via a spam tool called: Leaf PHPMailer 2.8. Crooks compromise several servers and are using tools like this to sent malicious emails to a large group of users.
Below is presented a screenshot from a compromised server we analyzed during this investigation.
Figure 20: Spam tool used by Grandoreiro operators to disseminate malscam campaigns in-the-wild in Portugal.
Finally, the malware server online with the ISO files, spam tool, and C2 were decommissioned at the moment of writing this publication.
Additional details, including the Indicators of Compromise (IOCs), are available in the analysis published by Pedro Tavares.
About the author Pedro Tavares
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
(SecurityAffairs – Grandoreiro Malware, hacking)