Home Malware Programs Trojans Grandoreiro

Grandoreiro

Posted: April 14, 2020

Grandoreiro is a banking Trojan that modifies your Web-browsing experience by overlaying content on top, such as imitating the login requests of banking sites. Although it retains the traditional banking Trojan association with South America, it also targets banking customers in Spain. Victimized users should let their anti-malware services remove Grandoreiro and contact their bank immediately for instructions on further re-securing their accounts.

Bank Robbery Takes a Trip Overseas

Banking Trojans targeting customers with high-maintenance, low-sophistication attacks like Web-browsing overlays or fake UIs are a tradition among South American countries, especially Brazil. Threat actors are, however, looking into plying the same trade abroad. By targeting the most linguistically compatible demographic, Grandoreiro is a banking Trojan that is, seemingly, making its work easy for itself.

Besides its heyday in South America, Grandoreiro also is spreading throughout Spain, through Web links in e-mail or texts. The first-stage download is a Trojan downloader (usually, fake invoices with MSI extensions) that retrieves Grandoreiro from a hard-coded location. This setup stage includes a (Spanish language) message for installing a fictitious security application and is the most significant visual sign of the attack that might warn a user of the danger. Additionally, malware experts note that Grandoreiro has a victim-filtering option that prevents its installation in scenarios where the infection date doesn't match that of an ongoing campaign.

Grandoreiro piggybacks off of google.com infrastructure for its C&C communications, which alert the threat actor for further action, and passes along data (copy-pasted credentials, system stats, etc.). The Trojan, then, hijacks Chrome's browser for generating Web page overlays that let attackers supervise tricking bank customers. Grandoreiro's means of doing so is technically notable for avoiding the 'normal' method of hooking into the browser's process. The banking Trojan uses a threatening extension and changes Chrome's shortcut for auto-launching it; users avoiding that shortcut can launch the regular version of the browser without the extension.

Shooing Thieving Hands from the Chrome Cookie Jar

Grandoreiro's last stages of attacking involve the threat actor's faking online banking services by inserting additional requests for passwords or other credentials. Doing so lets them implement transactions to their accounts while also blocking the user's view of the real, overlaid bank page. The details of the overlays, generally, are heavily customized for regionally-appropriate banks and show few visual warning signs or discrepancies.

This banking Trojan also uses its extension for exfiltrating cookies. In this context, malware experts rate it as likely that the attackers will use the cookies for continuing the user's Web sessions on their devices, which lets them interact with the bank accounts as if they were the owners. It also renders further control over the infected PC, arguably, redundant, since the money transfers can take place even after the Trojan's removal.

Users may notice unwanted reboots during Grandoreiro's setup routine but shouldn't depend on such symptoms for detecting threats. The best solution is to use a reputable anti-malware product to contain and delete Grandoreiro, like all banking Trojans, outright.

Grandoreiro's traveling to another continent is newsworthy, not just for the new victims, but as a sign of things to come. If additional language support comes along with its trip, Grandoreiro may become a problem for far more of Europe than just Spain.

Loading...