Banking malware has been a true-and-tried cash cow for adversaries for a long time now. One of such efficient tools in malware distribution campaigns that target the banking sector is a remote-overlay banking trojan Grandoreiro. The trojan was first detected in 2016 (yet, some researchers claim the malware first surfaced in 2017), being used against targets in Latin America. In the latest campaign, Grandoreiro was spotted spreading via tax-themed phishing emails, using the same attack vector as in previous campaigns. The hackers behind Grandoreiro targeted victims in Brazil, Spain, and Mexico.
To help organizations better protect their infrastructure, our keen Threat Bounty developers Furkan Celik and Nattatorn Chuensangarun have recently released the dedicated Sigma rules that enable speedy Grandoreiro malware detection. Registered users can download these rules from SOC Prime’s Detection as Code platform:
If you are new to the platform, browse through a vast collection of Sigma rules with relevant threat context, CTI and MITRE ATT&CK references, CVE descriptions, and get updates on threat hunting trends. No registration is required!
An exhaustive repository of detection content compatible with all industry-leading SIEM, EDR, and XDR solutions to strengthen the basis for security monitoring is accessible upon registration to the SOC Prime Platform to access Threat Detection Marketplace. Press the View Detections button to access the full collection of Sigma rules dedicated to detecting Grandoreiro malware. SOC Prime provides skilled threat hunters with an opportunity to share their Sigma and YARA rules with a vast community of security practitioners, get support and acknowledgment from fellow professionals, and make it a valuable revenue stream.
Grandoreiro is a Delphi-written trojan designed to allow its operators to overtake targeted devices. The main goal is to initiate a fraudulent money transfer from the target’s account. Once in the system, Grandoreiro is used for keylogging, stealing data, and monitoring victim’s operations on internet banking websites or applications.
The Trustwave SpiderLabs detailed the latest campaign launched in mid-spring 2022. According to the research data, adversaries target bank customers delivering the malware via spam campaigns – the attack vector has not changed since the first documented distributions of this malware threat. The victim gets a phishing lure – an email in Portuguese, with adversaries behind it mimicking legitimate Tax Administration Service. A fake memo features an URL that fetches a weaponized PDF file. If the target takes the bait and opens the malicious PDF that claims to come from DocuSign, chances are they will end up downloading a ZIP file containing an MSI installer. The installer downloads a final payload, striking the targets with IPs only in the aforementioned Latin countries.
Grandoreiro’s analysis shows that adversaries use the trojan each year in Latin America, aiming to capitalize on a tax season.
Security leaders can improve compliance, risk management, and monitoring and detection capabilities with SOC Prime to ensure their system is not a sitting duck for hackers.