Grandoreiro
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Grandoreiro can bypass UAC by registering as the default handler for .MSC files.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1087 | .003 | Account Discovery: Email Account |
Grandoreiro can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Grandoreiro has the ability to use HTTP in C2 communications.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Grandoreiro can use run keys and create link files in the startup folder for persistence.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.(Citation: IBM Grandoreiro April 2020) |
||
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Grandoreiro can use VBScript to execute malicious code.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Grandoreiro can steal cookie data and credentials from Google Chrome.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Grandoreiro can use SSL in C2 communication.(Citation: IBM Grandoreiro April 2020) |
| Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Grandoreiro can modify the binary ACL to prevent security tools from running.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.(Citation: ESET Grandoreiro April 2020) |
| .004 | Impair Defenses: Disable or Modify System Firewall |
Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.(Citation: ESET Grandoreiro April 2020) |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Grandoreiro can delete .LNK files created in the Startup folder.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Grandoreiro can log keystrokes on the victim's machine.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Grandoreiro has named malicious browser extensions and update files to appear legitimate.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Grandoreiro has been spread via malicious links embedded in e-mails.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Grandoreiro can use MSI files to execute DLLs.(Citation: Securelist Brazilian Banking Malware July 2020) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Grandoreiro has used malicious links to gain execution on victim machines.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| .002 | User Execution: Malicious File |
Grandoreiro has infected victims via malicious attachments.(Citation: IBM Grandoreiro April 2020) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Grandoreiro can obtain C2 information from Google Docs.(Citation: Securelist Brazilian Banking Malware July 2020) |
| .002 | Web Service: Bidirectional Communication |
Grandoreiro can utilize web services including Google sites to send and receive C2 data.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
||
References
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.