Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)
ID: S0531
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 10 Nov 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Grandoreiro can bypass UAC by registering as the default handler for .MSC files.(Citation: ESET Grandoreiro April 2020)

Enterprise T1087 .003 Account Discovery: Email Account

Grandoreiro can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Grandoreiro has the ability to use HTTP in C2 communications.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Grandoreiro can use run keys and create link files in the startup folder for persistence.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.(Citation: IBM Grandoreiro April 2020)

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Grandoreiro can use VBScript to execute malicious code.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Grandoreiro can steal cookie data and credentials from Google Chrome.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Grandoreiro can use SSL in C2 communication.(Citation: IBM Grandoreiro April 2020)

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Grandoreiro can modify the binary ACL to prevent security tools from running.(Citation: ESET Grandoreiro April 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.(Citation: ESET Grandoreiro April 2020)

.004 Impair Defenses: Disable or Modify System Firewall

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.(Citation: ESET Grandoreiro April 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Grandoreiro can delete .LNK files created in the Startup folder.(Citation: ESET Grandoreiro April 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Grandoreiro can log keystrokes on the victim's machine.(Citation: ESET Grandoreiro April 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Grandoreiro has named malicious browser extensions and update files to appear legitimate.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.(Citation: ESET Grandoreiro April 2020)

.011 Obfuscated Files or Information: Fileless Storage

Grandoreiro can store its configuration in the Registry at `HKCU\Software\` under frequently changing names including %USERNAME% and ToolTech-RM.(Citation: ESET Grandoreiro April 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1566 .002 Phishing: Spearphishing Link

Grandoreiro has been spread via malicious links embedded in e-mails.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Grandoreiro can use MSI files to execute DLLs.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Grandoreiro has used malicious links to gain execution on victim machines.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

.002 User Execution: Malicious File

Grandoreiro has infected victims via malicious attachments.(Citation: IBM Grandoreiro April 2020)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Grandoreiro can detect VMWare via its I/O port and Virtual PC via the vpcext instruction.(Citation: ESET Grandoreiro April 2020)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Grandoreiro can obtain C2 information from Google Docs.(Citation: Securelist Brazilian Banking Malware July 2020)

.002 Web Service: Bidirectional Communication

Grandoreiro can utilize web services including Google sites to send and receive C2 data.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.