GRANDOREIRO: fraud based on code injections and phishing


Grandoreiro (also known as Delephant) is one of the most active Windows banking trojans in recent months. Its developers seem to be especially interested in Spanish and Latin American users, since the affected banking entities belong to these regions.

One of the main characteristics of this banking malware is its fraud strategy, which stands out when compared to other popular strategies such as the use of code injections on the victim's browser to intercept credentials or to show phishing web injections.

In the case of Grandoreiro, its developers have created a remote control tool (RAT), which allows them to have almost complete control over the infected system, allowing them to do more than just steal credentials if they so wish. The attackers are using this trojan to steal money from the accounts of their victims, and to do so they are taking advantage of the sessions logged into on the entity's website, since the connection with the control server is established by a website that the user accesses on the entity's website.

This banker was born in Brazil, or at least that's what's suggested by the strings found in it, the encryption used to hide them and the language in which it is developed, Delphi, which is a very popular language among Brazilian malware. It has been with us since 2017, at which time it began affecting Brazilian entities; however, in mid-2019 the first samples began to be seen that added Spanish and Mexican entities to the list of Brazilian entities.

During the analysis of different samples, several functionalities have been discovered that allow criminals to successfully steal their victims' money. Fake forms are included to steal single-use codes, used to authorize different actions on victims' accounts, in addition to being used for keylogging and to steal passwords stored in the user's browser. This functionality, together with the remote control of the computer, is the perfect combination that attackers are using to make money.

Below are the technical details that this trojan includes that make it truly dangerous, including the malware's infection and spread techniques, remote control and credential theft functionality, and other interesting functionalities.

Grandoreiro-malware-phishing-cover_EN

GRANDOREIRO: a malware with a fraud strategy based on code injections and phishing to intercept credentials

Gradoreiro is one of the most active desktop banking trojans in recent months, causing a substantial amount of damage to banks and users in Spain and Latin America. 

After analyzing different samples, we can see that the main strategy for stealing the money of its victims is based on committing the crime from the user's own computer.

 

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

MALWARE PROTECTION AND ALERTING

MALWARE PROTECTION AND ALERTING

buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.

LEARN HOW BUGUROO SOLVE IT

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.