Detection Content: Grandoreiro Banking Trojan

Latin American banking trojans are just about to make a separate trend in malware writing. Adversaries regularly create new Trojans or Exploit Kits to attack bank users in Brazil, Mexico, and Peru, and with each new malicious campaign expand their target lists first to neighboring countries, and then to worldwide campaigns. In our recently published Rule Digest, we observed a rule to detect one of these nameless trojans. And today, a campaign spreading Grandoreiro malware strain has come into our view.

Grandoreiro is a Delphi-written banking trojan that has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019, and now extending to Portugal. At the end of last month, researchers discovered a spam campaign aimed at delivering an updated Grandoreiro banking trojan to users in the above-mentioned countries. The updated malware includes improvements in the way it is operating. The threat has been disseminating via malspam campaigns, as in the past, and the name of the victim is used as a part of the malicious attachment name. Grandoreiro has backdoor functionality and can manipulate windows, capture keystrokes, simulate mouse and keyboard actions, and navigate the victim’s browser to a chosen URL.

New Den Iuzvik‘s community rule can uncover Grandoreiro banking trojan when it attempts to disable banking access protection software:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint


Tactics: Defense Evasion

Techniques: File and Directory Permissions Modification (T1222)