ESET has collaborated with the Federal Police of Brazil in an try and disrupt the Grandoreiro botnet. ESET contributed to the mission by offering technical evaluation, statistical info, and recognized command and management (C&C) server domains and IP addresses. As a consequence of a design flaw in Grandoreiro’s community protocol, ESET researchers had been additionally in a position to get a glimpse into the victimology.
ESET automated methods have processed tens of 1000’s of Grandoreiro samples. The area era algorithm (DGA) the malware has used since round October 2020 produces one primary area, and optionally a number of failsafe domains, per day. The DGA is the one method Grandoreiro is aware of report back to a C&C server. Apart from the present date, the DGA accepts static configuration as effectively – we’ve got noticed 105 such configurations as of this writing.
Grandoreiro’s operators have abused cloud suppliers akin to Azure and AWS to host their community infrastructure. ESET researchers supplied information essential to figuring out the accounts answerable for establishing these servers. Additional investigation carried out by the Federal Police of Brazil led to the identification and arrest of the people answerable for these servers. On this blogpost, we have a look at how we obtained the info to help legislation enforcement to execute this disruption operation.
Background
Grandoreiro is one in every of many Latin American banking trojans. It has been lively since not less than 2017 and ESET researchers have been carefully monitoring it ever since. Grandoreiro targets Brazil and Mexico, and since 2019 Spain as effectively (see Determine 1). Whereas Spain was essentially the most focused nation between 2020 and 2022, in 2023 we noticed a transparent swap of focus in direction of Mexico and Argentina, the latter being new to Grandoreiro.
Performance-wise, Grandoreiro hasn’t modified very a lot since our final blogpost in 2020. We provide a short overview of the malware on this part and dive into the few adjustments, primarily new DGA logic, later.
When a Latin American banking trojan efficiently compromises a machine, it normally points an HTTP GET request to a distant server, sending some primary details about the compromised machine. Whereas older Grandoreiro builds carried out this function, over time, the builders determined to drop it.
Grandoreiro periodically screens the foreground window to seek out one which belongs to an online browser course of. When such a window is discovered and its identify matches any string from a hardcoded listing of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests not less than as soon as a second till terminated.
The operator has to work together manually with the compromised machine so as to steal a sufferer’s cash. The malware permits:
- blocking the display screen of the sufferer,
- logging keystrokes,
- simulating mouse and keyboard exercise,
- sharing the sufferer’s display screen, and
- displaying pretend pop-up home windows.
Grandoreiro undergoes fast and fixed improvement. Sometimes, we even noticed a number of new builds per week, making it troublesome to maintain monitor. To exhibit, in February 2022, Grandoreiro’s operators added a model identifier to the binaries. In Determine 2 we present how shortly the model identifier modified. On common, it was a brand new model each 4 days between February 2022 and June 2022. Within the month-long hole between Might 24th, 2022 and June 22nd, 2022 we continued to see new samples with progressing PE compilation occasions, however they lacked the model identifier. On June 27th, 2022 the model identifier modified to V37 and we haven’t seen it change since then, leaving us to conclude that this function was dropped.
Latin American banking trojans share a whole lot of commonalities. Grandoreiro is much like different Latin American banking trojans primarily by the apparent core performance and in bundling its downloaders inside MSI installers. Previously, we’ve got noticed a couple of circumstances the place its downloaders had been shared with Mekotio and Vadokrist, although not within the final two years. The Grandoreiro banking trojan’s primary distinction from the opposite households had been its distinctive binary padding mechanism that massively engorges the ultimate executable (described in our blogpost in 2020). Over time, Grandoreiro’s operators added this anti-analysis approach to its downloaders as effectively. To our shock, in Q3 2023, this function was utterly dropped from the banking trojan and downloader binaries and we haven’t noticed it since.
Since February 2022, we’ve got been monitoring a second variant of Grandoreiro that differs considerably from the primary one. We noticed it, in small campaigns, in March, Might, and June 2022. Based mostly on the overwhelming majority of its C&C server domains not resolving, its core options altering very often, and its community protocol not functioning correctly, we strongly consider it’s a work in progress; therefore we are going to deal with the primary variant on this blogpost.
Grandoreiro long-term monitoring
ESET methods designed for automated, long-term monitoring of chosen malware households have been monitoring Grandoreiro because the finish of 2017, extracting model info, C&C servers, targets and, because the finish of 2020, DGA configurations.
DGA monitoring
The DGA configuration is hardcoded within the Grandoreiro binary. Every configuration will be referred to by a string we name dga_id. Utilizing completely different configurations for the DGA yields completely different domains. We dive deeper into the DGA mechanism later within the textual content.
ESET has extracted a complete of 105 completely different dga_ids from the Grandoreiro samples recognized to us. 79 of those configurations not less than as soon as generated a website that resolved to an lively C&C server IP tackle throughout the course of our monitoring.
The generated domains are registered through No-IP’s Dynamic DNS service (DDNS). Grandoreiro’s operators abuse the service to incessantly change their domains to correspond with the DGA and to alter IP addresses at will. The overwhelming majority of the IP addresses these domains resolve to are supplied by cloud suppliers, primarily AWS and Azure. Desk 1 illustrates some statistics about IP addresses used for Grandoreiro C&C servers.
Desk 1. Statistical details about Grandoreiro C&C IP addresses since we began our monitoring
Info | Common | Minimal | Most |
Variety of new C&C IP addresses per day | 3 | 1 | 34 |
Variety of lively C&C IP addresses per day | 13 | 1 | 27 |
Lifespan of C&C IP tackle (in days) | 5 | 1 | 425 |
Very quickly after we started to trace the generated domains and their related IP addresses, we began to note that many domains generated by DGAs with completely different configurations resolve to the identical IP tackle (as illustrated in Determine 3). Because of this on a given day, victims compromised by Grandoreiro samples with completely different dga_id all related to the identical C&C server. This phenomenon was no coincidence – we noticed it nearly every day throughout our monitoring.
On a lot rarer events, we’ve got additionally noticed an IP tackle being reused by a unique dga_id a couple of days later. Solely this time, the parameters Grandoreiro used to ascertain a connection (defined later within the textual content) modified as effectively. Because of this, within the meantime, the C&C server aspect should have been reinstalled or reconfigured.
Our preliminary assumption was that the dga_id is exclusive for every DGA configuration. This later proved to be incorrect – we’ve got noticed two units of various configurations sharing the identical dga_id. Desk 2 reveals each of them, “jjk” and “gh”, the place “jjk” and “jjk(2)” correspond to 2 completely different DGA configurations, identical as “gh” and “gh(2)”.
Desk 2 reveals the clusters we had been in a position to observe. All DGA configurations that shared not less than one IP tackle are in the identical cluster and their related dga_ids are listed. Clusters that account for lower than 1% of all victims are disregarded.
Desk 2. Grandoreiro DGA clusters
Cluster ID |
dga_id listing |
Cluster measurement |
% of all C&C servers |
% of all victims |
1 |
b, bbh, bbj, bbn, bhg, cfb, cm, cob, cwe, dee, dnv, dvg, dzr, E, eeo, eri, ess, fhg, fox, gh, gh(2), hjo, ika, jam, jjk, jjk(2), JKM, jpy, ok, kcy, kWn, md7, md9, MRx, mtb, n, Nkk, nsw, nuu, occ, p, PCV, pif, rfg, rox3, s, sdd, sdg, sop, tkk, twr, tyj, u, ur4, vfg, vgy, vki, wtt, ykl, Z, zaf, zhf |
62 |
93.6% |
94% |
2 |
jl2, jly |
2 |
2.4% |
2.5% |
3 |
ibr |
1 |
0.8% |
1.6% |
4 |
JYY |
1 |
1.6% |
1.1% |
The largest cluster incorporates 78% of all lively dga_ids. It’s answerable for 93.6% of all C&C server IP addresses and 94% of all victims we’ve seen. The one different cluster consisting of greater than 1 dga_id is cluster 2.
Some sources declare that Grandoreiro operates as malware-as-a-service (MaaS). The Grandoreiro C&C server backend doesn’t permit simultaneous exercise of multiple operator directly. Based mostly on Desk 2, the overwhelming majority of DGA-produced IP addresses will be clustered along with no clear distribution sample. Lastly, contemplating the community protocol’s heavy bandwidth necessities (we dive into that on the finish of the blogpost), we consider that the completely different C&C servers are used as a primitive load-balancing system and that it’s extra doubtless that Grandoreiro is operated by a single group or by a couple of teams carefully cooperating with each other.
C&C monitoring
Grandoreiro’s implementation of its community protocol allowed ESET researchers to take a peek backstage and get a glimpse of the victimology. Grandoreiro C&C servers give away details about the related victims on the time of the preliminary request to every newly related sufferer. That mentioned, the info is biased by the variety of requests, their intervals, and the validity of the info supplied by the C&C servers.
Every sufferer related to the Grandoreiro C&C server is recognized by a login_string – a string Grandoreiro constructs upon establishing the connection. Completely different builds use completely different codecs and completely different codecs comprise completely different info. We summarize the knowledge that may be obtained from the login_string in Desk 3. The Prevalence column reveals a share of all of the codecs we’ve seen that maintain the corresponding sort of info.
Desk 3. Overview of data that may be obtained from a Grandoreiro sufferer’s login_string
Info |
Prevalence |
Description |
Working system |
100% |
OS of sufferer’s machine. |
Laptop identify |
100% |
Title of sufferer’s machine. |
Nation |
100% |
Nation that the Grandoreiro pattern targets (hardcoded within the malware pattern). |
Model |
100% |
Model (version_string) of the Grandoreiro pattern. |
Financial institution codename |
92% |
Codename of the financial institution that triggered the C&C connection (assigned by Grandoreiro’s builders). |
Uptime |
25% |
Time (in hours) that the sufferer’s machine has been working. |
Display screen decision |
8% |
Display screen decision of the sufferer’s primary monitor. |
Username |
8% |
Username of the sufferer. |
Three of the fields deserve a better rationalization. Nation is a string hardcoded within the Grandoreiro binary relatively than info obtained through acceptable companies. Due to this fact, it serves extra like an supposed nation of the sufferer.
Financial institution codename is a string Grandoreiro’s builders related to a sure financial institution or different monetary establishment. The sufferer visited that financial institution’s web site, which triggered the C&C connection.
The version_string is a string figuring out a selected Grandoreiro construct. It’s hardcoded within the malware and holds a string that identifies a selected construct collection, a model (which we already talked about within the introduction), and a timestamp. Desk 4 illustrates the completely different codecs and the knowledge they maintain. Discover that a few of the timestamps comprise solely month and day, whereas others comprise the 12 months as effectively.
Desk 4. Listing of various version_string codecs and their parsing
Model string |
Construct ID |
Model |
Timestamp |
DANILO |
DANILO |
N/A |
N/A |
(V37)(P1X)1207 |
P1X |
V37 |
12/07 |
(MX)2006 |
MX |
N/A |
20/06 |
fox50.28102020 |
fox50 |
N/A |
28/10/2020 |
MADMX(RELOAD)EMAIL2607 |
MADMX(RELOAD)EMAIL |
N/A |
26/07 |
One could also be tempted to say that the Construct ID really identifies the operator. Nevertheless, we don’t suppose that’s the case. The format of this string could be very chaotic, typically it refers solely to a month through which the binary most likely was constructed (like (AGOSTO)2708). Moreover, we strongly consider that P1X refers to a console utilized by Grandoreiro operator(s) known as PIXLOGGER.
C&C server monitoring – findings
On this part, we deal with what we’ve discovered by querying the C&C servers. All of the statistical information listed on this part has been obtained instantly from Grandoreiro C&C servers, not from ESET telemetry.
Outdated samples are nonetheless lively
Every login_string we noticed incorporates the version_string and the overwhelming majority of these comprise the timestamp info (see Desk 3 and Desk 4). Whereas a whole lot of them comprise solely day and month, as appears to be the developer’s alternative occassionally, the oldest speaking pattern was timestamped 15/09/2020 – that’s from the time this DGA was first launched to Grandoreiro. The latest pattern was timestamped 12/23/2023.
Working system distribution
Since the entire login_string codecs comprise OS info, we will paint an correct image of what working methods fell sufferer, as illustrated in Determine 4.
(Supposed) nation distribution
We already talked about that Grandoreiro makes use of a hardcoded worth as a substitute of querying a service to acquire the nation of the sufferer. Determine 5 reveals the distribution that we’ve got noticed.
This distribution is to be anticipated of Grandoreiro. Curiously, it doesn’t correlate with the heatmap depicted in Determine 1. Probably the most logical rationalization is that the builds are usually not marked correctly to resemble their supposed targets. For instance, the rise in assaults in Argentina will not be mirrored in any respect by the hardcoded marking. Brazil accounts for nearly 41% of all victims, adopted by Mexico with 30% and Spain with 28%. Argentina, Portugal, and Peru account for lower than 1%. Curiously, we’ve got seen a couple of (fewer than 10) victims marked as PM (Saint Pierre and Miquelon), GR (Greece), or FR (France). We consider these are both typos or produce other meanings relatively than aiming at these nations.
Additionally notice that whereas Grandoreiro added targets from many nations exterior of Latin America as early as 2020, we’ve got noticed few to no campaigns concentrating on these nations and Determine 5 helps this.
Variety of victims
We now have noticed that the common variety of victims related in a day is 563. Nevertheless, this quantity definitely incorporates duplicates, as a result of if a sufferer stays related for a very long time, which we’ve noticed is usually the case, then the Grandoreiro C&C server will report it on a number of requests.
Making an attempt to handle this difficulty, we outlined a distinctive sufferer as one with a novel set of figuring out traits (like pc identify, username, and many others.) whereas omitting these which are topic to alter (like uptime). With that, we ended up with 551 distinctive victims related in a day on common.
Taking into consideration that we’ve got noticed victims who had been connecting to the C&C servers consistently for over a 12 months’s interval, we calculated a mean variety of 114 new distinctive victims connecting to the C&C servers every day. We got here to this quantity by disregarding distinctive victims that we’ve got already noticed earlier than.
Grandoreiro internals
Allow us to focus, in depth, on the 2 most vital options of Grandoreiro: the DGA and the community protocol.
DGA
Grandoreiro’s operators have carried out a number of sorts of DGAs over time, with the latest one showing in July 2020. Whereas we observed a couple of minor adjustments, the core of the algorithm hasn’t change since.
The DGA makes use of a selected configuration that’s hardcoded within the binary, saved as a number of strings. Determine 6 shows one such configuration (with dga_id “bbj”), reformatted in JSON for higher readability.
Within the overwhelming majority of circumstances, the base_domain area is freedynamicdns.org or zapto.org. As already talked about, Grandoreiro makes use of No-IP for its area registration. The base64_alpha area corresponds to the customized base64 alphabet the DGA makes use of. The month_substitution is used to substitute a month quantity for a personality.
The dga_table types the primary a part of the configuration. It consists of 12 strings, every with 35 fields delimited by |. The primary entry of every line is the dga_id. The second and final entry symbolize the month the road is meant for. The remaining 32 fields every symbolize a price for a unique day of the month (leaving not less than one area unused).
The logic of the DGA is proven in Determine 7. The algorithm first selects the proper line and the proper entry from it, treating it as a four-byte key. It then codecs the present date right into a string and encrypts it with the important thing utilizing a easy XOR. It then prepends the dga_id to the consequence, encodes the consequence utilizing base64 with a customized alphabet, after which removes any = padding characters. The ultimate result’s the subdomain that, along with base_domain, is for use because the C&C server for the present day. The half highlighted in purple is a failsafe mechanism and we focus on it subsequent.
Grandoreiro has carried out, in some builds, a failsafe mechanism for when the primary area fails to resolve. This mechanism will not be current in all builds and its logic has modified a couple of occasions, however the primary concept is illustrated in Determine 7. It makes use of a configuration that’s fixed within the samples we analyzed and will be generated by the straightforward code proven in Determine 8. Every entry consists of a key, a prefix, and a base area.
The failsafe algorithm takes part of the primary C&C subdomain. It then iterates over all configuration entries, encrypts it utilizing XOR and prepends a prefix, much like the primary algorithm half.
Since September 2022, we’ve got began to look at samples that make the most of a barely modified DGA. The algorithm stays nearly similar, however relatively than base64 encoding the subdomain within the closing step, a hardcoded prefix is prepended to it. Based mostly on our monitoring, this technique has turn into the dominant one since roughly July 2023.
Community protocol
Grandoreiro makes use of RTC Portal, a set of Delphi parts constructed on high of the RealThinClient SDK which is constructed on high of HTTP(S). The RTC Portal was discontinued in 2017 and its supply code printed on GitHub. Primarily, RTC Portal permits a number of Controls to remotely entry a number of Hosts. Hosts and Controls are separated by a mediator element known as Gateway.
Grandoreiro operators use a console (appearing because the Management) to hook up with the C&C server (appearing as Gateway) and to speak with the compromised machines (appearing as Hosts). To connect with Gateway, three parameters are required: a secret key, the important thing size, and a login.
The key key’s used to encrypt the preliminary request despatched to the server. Due to this fact, the server additionally must know the key key in order to decrypt the preliminary consumer request.
The important thing size determines the size of the keys to encrypt the visitors, established throughout the handshake. The visitors is encrypted utilizing a customized stream cipher. Two completely different keys are established – one for inbound and one for outbound visitors.
The login will be any string. The Gateway requires every related element to have a novel login.
Grandoreiro makes use of two completely different combos of secret key and key size values, at all times hardcoded within the binary, and we already mentioned the login_string that’s used because the login.
The RTC documentation states that it might solely deal with a restricted variety of connections directly. Contemplating that every related Host must ship not less than one request per second or else its connection is dropped, we consider that the rationale Grandoreiro makes use of a number of C&C servers is an try to not overwhelm any one in every of them.
Conclusion
On this blogpost, we’ve got supplied a peek backstage of our long-term monitoring of Grandoreiro that helped to make this disruption operation potential. We now have described in depth how Grandoreiro’s DGA works, what number of completely different configurations exist concurrently, and the way we had been in a position to spot many IP tackle overlaps amongst them.
We now have additionally supplied statistical info obtained from the C&C servers. This info offers a superb overview of the victimology and concentrating on, whereas additionally permitting us to see the precise degree of affect.
The disruption operation led by the Federal Police of Brazil aimed toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy. ESET will proceed to trace different Latin American banking trojans whereas carefully monitoring for any Grandoreiro exercise following this disruption operation.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Recordsdata
SHA-1 |
Filename |
Detection |
Description |
FB32344292AB36080F2D040294F17D39F8B4F3A8 |
Notif.FEL.RHKVYIIPFVBCGQJPOQÃ.msi |
Win32/Spy.Grandoreiro.DB |
MSI downloader |
08C7453BD36DE1B9E0D921D45AEF6D393659FDF5 |
RYCB79H7B-7DVH76Y3-67DVHC6T20-CH377DFHVO-6264704.msi |
Win32/Spy.Grandoreiro.DB |
MSI downloader |
A99A72D323AB5911ADA7762FBC725665AE01FDF9 |
pcre.dll |
Win32/Spy.Grandoreiro.BM |
Grandoreiro |
4CDF7883C8A0A83EB381E935CD95A288505AA8B8 |
iconv.dll |
Win32/Spy.Grandoreiro.BM |
Grandoreiro (with binary padding) |
Community
IP |
Area |
Internet hosting supplier |
First seen |
Particulars |
20.237.166[.]161 |
DGA‑generated |
Azure |
2024‑01‑12 |
C&C server. |
20.120.249[.]43 |
DGA‑generated |
Azure |
2024‑01‑16 |
C&C server. |
52.161.154[.]239 |
DGA‑generated |
Azure |
2024‑01‑18 |
C&C server. |
167.114.138[.]249 |
DGA‑generated |
OVH |
2024‑01‑02 |
C&C server. |
66.70.160[.]251 |
DGA‑generated |
OVH |
2024‑01‑05 |
C&C server. |
167.114.4[.]175 |
DGA‑generated |
OVH |
2024‑01‑09 |
C&C server. |
18.215.238[.]53 |
DGA‑generated |
AWS |
2024‑01‑03 |
C&C server. |
54.219.169[.]167 |
DGA‑generated |
AWS |
2024‑01‑09 |
C&C server. |
3.144.135[.]247 |
DGA‑generated |
AWS |
2024‑01‑12 |
C&C server. |
77.246.96[.]204 |
DGA‑generated |
VDSina |
2024‑01‑11 |
C&C server. |
185.228.72[.]38 |
DGA‑generated |
Grasp da Internet |
2024‑01‑02 |
C&C server. |
62.84.100[.]225 |
N/A |
VDSina |
2024‑01‑18 |
Distribution server. |
20.151.89[.]252 |
N/A |
Azure |
2024‑01‑10 |
Distribution server. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.
Tactic |
ID |
Title |
Description |
Useful resource Improvement |
Develop Capabilities: Malware |
Grandoreiro builders develop their very own customized downloaders. |
|
Preliminary Entry |
Phishing |
Grandoreiro spreads by phishing emails. |
|
Execution |
Person Execution: Malicious File |
Grandoreiro pressures victims to manually execute the phishing attachment. |
|
Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Grandoreiro makes use of the usual Autostart areas for persistence. |
|
Hijack Execution Stream: DLL Search Order Hijacking |
Grandoreiro is executed by compromising the DLL search order. |
||
Protection Evasion |
Deobfuscate/Decode Recordsdata or Info |
Grandoreiro is usually distributed in password-protected ZIP archives. |
|
Obfuscated Recordsdata or Info: Binary Padding |
Grandoreiro EXEs used to have enlarged .rsrc sections with giant BMP photos. |
||
System Binary Proxy Execution: Msiexec |
Grandoreiro downloaders are bundled inside MSI installers. |
||
Modify Registry |
Grandoreiro shops a part of its configuration information within the Home windows registry. |
||
Discovery |
Utility Window Discovery |
Grandoreiro discovers on-line banking web sites primarily based on window names. |
|
Course of Discovery |
Grandoreiro discovers safety instruments primarily based on course of names. |
||
Software program Discovery: Safety Software program Discovery |
Grandoreiro detects the presence of banking safety merchandise. |
||
System Info Discovery |
Grandoreiro collects details about the sufferer’s machine, akin to %COMPUTERNAME% and working system. |
||
Assortment |
Enter Seize: GUI Enter Seize |
Grandoreiro can show pretend pop-ups and seize textual content typed into them. |
|
Enter Seize: Keylogging |
Grandoreiro is able to capturing keystrokes. |
||
Electronic mail Assortment: Native Electronic mail Assortment |
Grandoreiro’s operators developed a device to extract electronic mail addresses from Outlook. |
||
Command and Management |
Knowledge Encoding: Non-Commonplace Encoding |
Grandoreiro makes use of RTC, which encrypts information with a customized stream cipher. |
|
Dynamic Decision: Area Technology Algorithms |
Grandoreiro depends solely on DGA to acquire C&C server addresses. |
||
Encrypted Channel: Symmetric Cryptography |
In RTC, encryption and decryption are carried out utilizing the identical key. |
||
Non-Commonplace Port |
Grandoreiro usually makes use of non-standard ports for distribution. |
||
Utility Layer Protocol |
RTC is constructed on high of HTTP(S). |
||
Exfiltration |
Exfiltration Over C2 Channel |
Grandoreiro exfiltrates information to its C&C server. |
|
Impression |
System Shutdown/Reboot |
Grandoreiro can pressure a system reboot. |