GRANDOREIRO: fraud based on code injections and phishing

Grandoreiro (also known as Delephant) is one of the most active Windows banking trojans in recent months. Its developers seem to be especially interested in Spanish and Latin American users, since the affected banking entities belong to these regions.

One of the main characteristics of this banking malware is its fraud strategy, which stands out when compared to other popular strategies such as the use of code injections on the victim's browser to intercept credentials or to show phishing web injections.

In the case of Grandoreiro, its developers have created a remote control tool (RAT), which allows them to have almost complete control over the infected system, allowing them to do more than just steal credentials if they so wish. The attackers are using this trojan to steal money from the accounts of their victims, and to do so they are taking advantage of the sessions logged into on the entity's website, since the connection with the control server is established by a website that the user accesses on the entity's website.

This banker was born in Brazil, or at least that's what's suggested by the strings found in it, the encryption used to hide them and the language in which it is developed, Delphi, which is a very popular language among Brazilian malware. It has been with us since 2017, at which time it began affecting Brazilian entities; however, in mid-2019 the first samples began to be seen that added Spanish and Mexican entities to the list of Brazilian entities.

During the analysis of different samples, several functionalities have been discovered that allow criminals to successfully steal their victims' money. Fake forms are included to steal single-use codes, used to authorize different actions on victims' accounts, in addition to being used for keylogging and to steal passwords stored in the user's browser. This functionality, together with the remote control of the computer, is the perfect combination that attackers are using to make money.

Below are the technical details that this trojan includes that make it truly dangerous, including the malware's infection and spread techniques, remote control and credential theft functionality, and other interesting functionalities.


GRANDOREIRO: a malware with a fraud strategy based on code injections and phishing to intercept credentials

Gradoreiro is one of the most active desktop banking trojans in recent months, causing a substantial amount of damage to banks and users in Spain and Latin America. 

After analyzing different samples, we can see that the main strategy for stealing the money of its victims is based on committing the crime from the user's own computer.


Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.