A new Grandoreiro banking trojan campaign has been ongoing since March 2024, following the disruption by law enforcement in January.<\/h2>\n\n\n\n
IBM X-Force warns of a new Grandoreiro<\/strong><\/a> banking trojan campaign that has been ongoing since March 2024. Operators behind the Grandoreiro banking trojan have resumed operations following a law enforcement takedown in January. <\/p>\n\n\n\n
Grandoreiro is a modular backdoor that supports the following capabilities:
- \n
- Keylogging<\/li>\n\n\n\n
- Auto-Updation for newer versions and modules<\/li>\n\n\n\n
- Web-Injects and restricting access to specific websites<\/li>\n\n\n\n
- Command execution<\/li>\n\n\n\n
- Manipulating windows<\/li>\n\n\n\n
- Guiding the victim\u2019s browser to a certain URL<\/li>\n\n\n\n
- C2 Domain Generation via DGA (Domain Generation Algorithm)<\/li>\n\n\n\n
- Imitating mouse and keyboard movements\n
![\"Grandoreiro\u00a0\"](\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2024\/05\/image-17.png?resize=932%2C1024&ssl=1\")
<\/a><\/figure><\/div>\n\n\nThe loader prevents the execution in a sandbox by verifying if the client is a legitimate victim, it enumerates basic victim data and sends it back to its C2. Finally the loader downloads, decrypts and executes the Grandoreiro banking trojan.
- <\/ol>\n\n\n\n
The malware doesn’t continue execution if the public IP associated with infected systems was from Russia, Czechia, Poland, or the Netherlands. It also prevented infections on Windows 7 machines in the US without antivirus.<\/p>\n\n\n\n
The banking Trojan establishes persistence via the Windows registry, then it uses a reworked DGA to connect with a C2 server awaiting further instructions.<\/p>\n\n\n\n
“One of Grandoreiro\u2019s most interesting features is its capability to spread by harvesting data from Outlook and using the victim\u2019s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed.” states the report. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”<\/p>\n\n\n\n
To interact with the local Outlook client, the malware relies on\u00a0the Outlook Security Manager tool<\/a>, preventing that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.<\/p>\n\n\n\n
Follow me on Twitter:\u00a0@securityaffairs<\/strong><\/a>\u00a0and\u00a0Facebook<\/strong><\/a>\u00a0and\u00a0Mastodon<\/a>
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, banking Trojan)<\/strong><\/p>\n\n\n\n
![\"Grandoreiro\u00a0\"](\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2024\/05\/image-17.png?ssl=1\")
<\/a><\/figure><\/div>\n\n\n