Labs - Malware Analysis

GRANDOREIRO: fraud based on code injections and phishing

Written by David Morán | Jan 2, 2021 5:40:00 PM

Grandoreiro (also known as Delephant) is one of the most active Windows banking trojans in recent months. Its developers seem to be especially interested in Spanish and Latin American users, since the affected banking entities belong to these regions.

One of the main characteristics of this banking malware is its fraud strategy, which stands out when compared to other popular strategies such as the use of code injections on the victim's browser to intercept credentials or to show phishing web injections.

In the case of Grandoreiro, its developers have created a remote control tool (RAT), which allows them to have almost complete control over the infected system, allowing them to do more than just steal credentials if they so wish. The attackers are using this trojan to steal money from the accounts of their victims, and to do so they are taking advantage of the sessions logged into on the entity's website, since the connection with the control server is established by a website that the user accesses on the entity's website.

This banker was born in Brazil, or at least that's what's suggested by the strings found in it, the encryption used to hide them and the language in which it is developed, Delphi, which is a very popular language among Brazilian malware. It has been with us since 2017, at which time it began affecting Brazilian entities; however, in mid-2019 the first samples began to be seen that added Spanish and Mexican entities to the list of Brazilian entities.

During the analysis of different samples, several functionalities have been discovered that allow criminals to successfully steal their victims' money. Fake forms are included to steal single-use codes, used to authorize different actions on victims' accounts, in addition to being used for keylogging and to steal passwords stored in the user's browser. This functionality, together with the remote control of the computer, is the perfect combination that attackers are using to make money.

Below are the technical details that this trojan includes that make it truly dangerous, including the malware's infection and spread techniques, remote control and credential theft functionality, and other interesting functionalities.