9.9 C
Wednesday, January 31, 2024

ESET takes half in international operation to disrupt the Grandoreiro banking trojan

ESET has collaborated with the Federal Police of Brazil in an try to disrupt the Grandoreiro botnet. ESET contributed to the mission by offering technical evaluation, statistical data, and recognized command and management (C&C) server domains and IP addresses. As a consequence of a design flaw in Grandoreiro’s community protocol, ESET researchers have been additionally in a position to get a glimpse into the victimology.

ESET automated programs have processed tens of hundreds of Grandoreiro samples. The area technology algorithm (DGA) the malware has used since round October 2020 produces one most important area, and optionally a number of failsafe domains, per day. The DGA is the one method Grandoreiro is aware of report back to a C&C server. In addition to the present date, the DGA accepts static configuration as effectively – we have now noticed 105 such configurations as of this writing.

Grandoreiro’s operators have abused cloud suppliers similar to Azure and AWS to host their community infrastructure. ESET researchers supplied information essential to figuring out the accounts accountable for establishing these servers. Additional investigation carried out by the Federal Police of Brazil led to the identification and arrest of the people in command of these servers. On this blogpost, we have a look at how we obtained the info to help legislation enforcement to execute this disruption operation.


Grandoreiro is one in every of many Latin American banking trojans. It has been energetic since no less than 2017 and ESET researchers have been intently monitoring it ever since. Grandoreiro targets Brazil and Mexico, and since 2019 Spain as effectively (see Determine 1). Whereas Spain was probably the most focused nation between 2020 and 2022, in 2023 we noticed a transparent swap of focus in direction of Mexico and Argentina, the latter being new to Grandoreiro.

Determine 1. Grandoreiro detection fee (information since January 2020)

Performance-wise, Grandoreiro hasn’t modified very a lot since our final blogpost in 2020. We provide a short overview of the malware on this part and dive into the few modifications, primarily new DGA logic, later.

When a Latin American banking trojan efficiently compromises a machine, it often points an HTTP GET request to a distant server, sending some primary details about the compromised machine. Whereas older Grandoreiro builds applied this function, over time, the builders determined to drop it.

Grandoreiro periodically displays the foreground window to search out one which belongs to an online browser course of. When such a window is discovered and its identify matches any string from a hardcoded listing of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests no less than as soon as a second till terminated.

The operator has to work together manually with the compromised machine with the intention to steal a sufferer’s cash. The malware permits:

  • blocking the display of the sufferer,
  • logging keystrokes,
  • simulating mouse and keyboard exercise,
  • sharing the sufferer’s display, and
  • displaying faux pop-up home windows.

Grandoreiro undergoes fast and fixed growth. Often, we even noticed a number of new builds every week, making it troublesome to maintain observe. To show, in February 2022, Grandoreiro’s operators added a model identifier to the binaries. In Determine 2 we present how shortly the model identifier modified. On common, it was a brand new model each 4 days between February 2022 and June 2022. Within the month-long hole between Could 24th, 2022 and June 22nd, 2022 we continued to see new samples with progressing PE compilation instances, however they lacked the model identifier. On June 27th, 2022 the model identifier modified to V37 and we haven’t seen it change since then, leaving us to conclude that this function was dropped.

Determine 2. Grandoreiro model historical past between February and June 2022

Latin American banking trojans share a variety of commonalities. Grandoreiro is much like different Latin American banking trojans primarily by the apparent core performance and in bundling its downloaders inside MSI installers. Up to now, we have now noticed a number of instances the place its downloaders have been shared with Mekotio and Vadokrist, although not within the final two years. The Grandoreiro banking trojan’s most important distinction from the opposite households had been its distinctive binary padding mechanism that massively engorges the ultimate executable (described in our blogpost in 2020). Over time, Grandoreiro’s operators added this anti-analysis approach to its downloaders as effectively. To our shock, in Q3 2023, this function was utterly dropped from the banking trojan and downloader binaries and we haven’t noticed it since.

Since February 2022, we have now been monitoring a second variant of Grandoreiro that differs considerably from the primary one. We noticed it, in small campaigns, in March, Could, and June 2022. Based mostly on the overwhelming majority of its C&C server domains not resolving, its core options altering very often, and its community protocol not functioning correctly, we strongly consider it’s a work in progress; therefore we are going to give attention to the primary variant on this blogpost.

Grandoreiro long-term monitoring

ESET programs designed for automated, long-term monitoring of chosen malware households have been monitoring Grandoreiro for the reason that finish of 2017, extracting model data, C&C servers, targets and, for the reason that finish of 2020, DGA configurations.

DGA monitoring

The DGA configuration is hardcoded within the Grandoreiro binary. Every configuration may be referred to by a string we name dga_id. Utilizing totally different configurations for the DGA yields totally different domains. We dive deeper into the DGA mechanism later within the textual content.

ESET has extracted a complete of 105 totally different dga_ids from the Grandoreiro samples recognized to us. 79 of those configurations no less than as soon as generated a website that resolved to an energetic C&C server IP tackle in the course of the course of our monitoring.

The generated domains are registered through No-IP’s Dynamic DNS service (DDNS). Grandoreiro’s operators abuse the service to regularly change their domains to correspond with the DGA and to vary IP addresses at will. The overwhelming majority of the IP addresses these domains resolve to are supplied by cloud suppliers, primarily AWS and Azure. Desk 1 illustrates some statistics about IP addresses used for Grandoreiro C&C servers.

Desk 1. Statistical details about Grandoreiro C&C IP addresses since we began our monitoring

Data Common Minimal Most
Variety of new C&C IP addresses per day 3 1 34
Variety of energetic C&C IP addresses per day 13 1 27
Lifespan of C&C IP tackle (in days) 5 1 425

Very quickly after we started to trace the generated domains and their related IP addresses, we began to note that many domains generated by DGAs with totally different configurations resolve to the identical IP tackle (as illustrated in Determine 3). Because of this on a given day, victims compromised by Grandoreiro samples with totally different dga_id all related to the identical C&C server. This phenomenon was no coincidence – we noticed it nearly each day throughout our monitoring.

Determine 3. Schema of an IP overlap in two totally different Grandoreiro DGA configurations

On a lot rarer events, we have now additionally noticed an IP tackle being reused by a special dga_id a number of days later. Solely this time, the parameters Grandoreiro used to determine a connection (defined later within the textual content) modified as effectively. Because of this, within the meantime, the C&C server aspect will need to have been reinstalled or reconfigured.

Our preliminary assumption was that the dga_id is exclusive for every DGA configuration. This later proved to be incorrect – we have now noticed two units of various configurations sharing the identical dga_id. Desk 2 exhibits each of them, “jjk” and “gh”, the place “jjk” and “jjk(2)” correspond to 2 totally different DGA configurations, identical as “gh” and “gh(2)”.

Desk 2 exhibits the clusters we have been in a position to observe. All DGA configurations that shared no less than one IP tackle are in the identical cluster and their related dga_ids are listed. Clusters that account for lower than 1% of all victims are disregarded.

Desk 2. Grandoreiro DGA clusters

Cluster ID

dga_id listing

Cluster measurement

% of all C&C servers

% of all victims


b, bbh, bbj, bbn, bhg, cfb, cm, cob, cwe, dee, dnv, dvg, dzr, E, eeo, eri, ess, fhg, fox, gh, gh(2), hjo, ika, jam, jjk, jjk(2), JKM, jpy, ok, kcy, kWn, md7, md9, MRx, mtb, n, Nkk, nsw, nuu, occ, p, PCV, pif, rfg, rox3, s, sdd, sdg, sop, tkk, twr, tyj, u, ur4, vfg, vgy, vki, wtt, ykl, Z, zaf, zhf





jl2, jly














The most important cluster comprises 78% of all energetic dga_ids. It’s accountable for 93.6% of all C&C server IP addresses and 94% of all victims we’ve seen. The one different cluster consisting of greater than 1 dga_id is cluster 2.

Some sources declare that Grandoreiro operates as malware-as-a-service (MaaS). The Grandoreiro C&C server backend doesn’t permit simultaneous exercise of multiple operator directly. Based mostly on Desk 2, the overwhelming majority of DGA-produced IP addresses may be clustered along with no clear distribution sample. Lastly, contemplating the community protocol’s heavy bandwidth necessities (we dive into that on the finish of the blogpost), we consider that the totally different C&C servers are used as a primitive load-balancing system and that it’s extra seemingly that Grandoreiro is operated by a single group or by a number of teams intently cooperating with each other.

C&C monitoring

Grandoreiro’s implementation of its community protocol allowed ESET researchers to take a peek backstage and get a glimpse of the victimology. Grandoreiro C&C servers give away details about the related victims on the time of the preliminary request to every newly related sufferer. That stated, the info is biased by the variety of requests, their intervals, and the validity of the info supplied by the C&C servers.

Every sufferer related to the Grandoreiro C&C server is recognized by a login_string – a string Grandoreiro constructs upon establishing the connection. Completely different builds use totally different codecs and totally different codecs include totally different data. We summarize the data that may be obtained from the login_string in Desk 3. The Prevalence column exhibits a proportion of all of the codecs we’ve seen that maintain the corresponding form of data.

Desk 3. Overview of data that may be obtained from a Grandoreiro sufferer’s login_string




Working system


OS of sufferer’s machine.

Laptop identify


Title of sufferer’s machine.



Nation that the Grandoreiro pattern targets (hardcoded within the malware pattern).



Model (version_string) of the Grandoreiro pattern.

Financial institution codename


Codename of the financial institution that triggered the C&C connection (assigned by Grandoreiro’s builders).



Time (in hours) that the sufferer’s machine has been working.

Display decision


Display decision of the sufferer’s most important monitor.



Username of the sufferer.

Three of the fields deserve a better clarification. Nation is a string hardcoded within the Grandoreiro binary relatively than data obtained through acceptable companies. Subsequently, it serves extra like an supposed nation of the sufferer.

Financial institution codename is a string Grandoreiro’s builders related to a sure financial institution or different monetary establishment. The sufferer visited that financial institution’s web site, which triggered the C&C connection.

The version_string is a string figuring out a particular Grandoreiro construct. It’s hardcoded within the malware and holds a string that identifies a particular construct sequence, a model (which we already talked about within the introduction), and a timestamp. Desk 4 illustrates the totally different codecs and the data they maintain. Discover that a number of the timestamps include solely month and day, whereas others include the 12 months as effectively.

Desk 4. Listing of various version_string codecs and their parsing

Model string

Construct ID























One could also be tempted to say that the Construct ID really identifies the operator. Nevertheless, we don’t assume that’s the case. The format of this string may be very chaotic, typically it refers solely to a month during which the binary most likely was constructed (like (AGOSTO)2708). Moreover, we strongly consider that P1X refers to a console utilized by Grandoreiro operator(s) referred to as PIXLOGGER.

C&C server monitoring – findings

On this part, we give attention to what we’ve discovered by querying the C&C servers. All of the statistical information listed on this part has been obtained immediately from Grandoreiro C&C servers, not from ESET telemetry.

Previous samples are nonetheless energetic

Every login_string we noticed comprises the version_string and the overwhelming majority of these include the timestamp data (see Desk 3 and Desk 4). Whereas a variety of them include solely day and month, as appears to be the developer’s selection occassionally, the oldest speaking pattern was timestamped 15/09/2020 – that’s from the time this DGA was first launched to Grandoreiro. The newest pattern was timestamped 12/23/2023.

Working system distribution

Since all the login_string codecs include OS data, we will paint an correct image of what working programs fell sufferer, as illustrated in Determine 4.

Determine 4. Working system distribution amongst Grandoreiro victims

(Meant) nation distribution

We already talked about that Grandoreiro makes use of a hardcoded worth as a substitute of querying a service to acquire the nation of the sufferer. Determine 5 exhibits the distribution that we have now noticed.

Determine 5. (Meant) nation codes distribution amongst Grandoreiro victims

This distribution is to be anticipated of Grandoreiro. Apparently, it doesn’t correlate with the heatmap depicted in Determine 1. Essentially the most logical clarification is that the builds are usually not marked correctly to resemble their supposed targets. For instance, the rise in assaults in Argentina shouldn’t be mirrored in any respect by the hardcoded marking. Brazil accounts for nearly 41% of all victims, adopted by Mexico with 30% and Spain with 28%. Argentina, Portugal, and Peru account for lower than 1%. Apparently, we have now seen a number of (fewer than 10) victims marked as PM (Saint Pierre and Miquelon), GR (Greece), or FR (France). We consider these are both typos or produce other meanings relatively than aiming at these international locations.

Additionally notice that whereas Grandoreiro added targets from many international locations outdoors of Latin America as early as 2020, we have now noticed few to no campaigns focusing on these international locations and Determine 5 helps this.

Variety of victims

We now have noticed that the common variety of victims related in a day is 563. Nevertheless, this quantity definitely comprises duplicates, as a result of if a sufferer stays related for a very long time, which we’ve noticed is commonly the case, then the Grandoreiro C&C server will report it on a number of requests.

Making an attempt to handle this situation, we outlined a distinctive sufferer as one with a novel set of figuring out traits (like laptop identify, username, and so forth.) whereas omitting these which can be topic to vary (like uptime). With that, we ended up with 551 distinctive victims related in a day on common.

Considering that we have now noticed victims who have been connecting to the C&C servers consistently for over a 12 months’s interval, we calculated a mean variety of 114 new distinctive victims connecting to the C&C servers every day. We got here to this quantity by disregarding distinctive victims that we have now already noticed earlier than.

Grandoreiro internals

Allow us to focus, in depth, on the 2 most important options of Grandoreiro: the DGA and the community protocol.


Grandoreiro’s operators have applied a number of sorts of DGAs over time, with the latest one showing in July 2020. Whereas we seen a number of minor modifications, the core of the algorithm hasn’t change since.

The DGA makes use of a particular configuration that’s hardcoded within the binary, saved as a number of strings. Determine 6 shows one such configuration (with dga_id “bbj”), reformatted in JSON for higher readability.

Determine 6. Grandoreiro DGA configuration, reformatted in JSON

Within the overwhelming majority of instances, the base_domain discipline is freedynamicdns.org or zapto.org. As already talked about, Grandoreiro makes use of No-IP for its area registration. The base64_alpha discipline corresponds to the customized base64 alphabet the DGA makes use of. The month_substitution is used to substitute a month quantity for a personality.

The dga_table types the primary a part of the configuration. It consists of 12 strings, every with 35 fields delimited by |. The primary entry of every line is the dga_id. The second and final entry characterize the month the road is meant for. The remaining 32 fields every characterize a worth for a special day of the month (leaving no less than one discipline unused).

The logic of the DGA is proven in Determine 7. The algorithm first selects the proper line and the proper entry from it, treating it as a four-byte key. It then codecs the present date right into a string and encrypts it with the important thing utilizing a easy XOR. It then prepends the dga_id to the outcome, encodes the outcome utilizing base64 with a customized alphabet, after which removes any = padding characters. The ultimate result’s the subdomain that, along with base_domain, is for use because the C&C server for the present day. The half highlighted in pink is a failsafe mechanism and we focus on it subsequent.

Determine 7. Grandoreiro DGA computation reimplemented in Python

Grandoreiro has applied, in some builds, a failsafe mechanism for when the primary area fails to resolve. This mechanism shouldn’t be current in all builds and its logic has modified a number of instances, however the primary concept is illustrated in Determine 7. It makes use of a configuration that’s fixed within the samples we analyzed and may be generated by the easy code proven in Determine 8. Every entry consists of a key, a prefix, and a base area.

The failsafe algorithm takes part of the primary C&C subdomain. It then iterates over all configuration entries, encrypts it utilizing XOR and prepends a prefix, much like the primary algorithm half.

Determine 8. Failsafe DGA configuration generator reimplemented in Python

Since September 2022, we have now began to watch samples that make the most of a barely modified DGA. The algorithm stays nearly similar, however relatively than base64 encoding the subdomain within the remaining step, a hardcoded prefix is prepended to it. Based mostly on our monitoring, this technique has turn into the dominant one since roughly July 2023.

Community protocol

Grandoreiro makes use of RTC Portal, a set of Delphi elements constructed on prime of the RealThinClient SDK which is constructed on prime of HTTP(S). The RTC Portal was discontinued in 2017 and its supply code printed on GitHub. Primarily, RTC Portal permits a number of Controls to remotely entry a number of Hosts. Hosts and Controls are separated by a mediator part referred to as Gateway.

Grandoreiro operators use a console (appearing because the Management) to hook up with the C&C server (appearing as Gateway) and to speak with the compromised machines (appearing as Hosts). To connect with Gateway, three parameters are required: a secret key, the important thing size, and a login.

The key key’s used to encrypt the preliminary request despatched to the server. Subsequently, the server additionally must know the key key in order to decrypt the preliminary consumer request.

The important thing size determines the size of the keys to encrypt the site visitors, established in the course of the handshake. The site visitors is encrypted utilizing a customized stream cipher. Two totally different keys are established – one for inbound and one for outbound site visitors.

The login may be any string. The Gateway requires every related part to have a novel login.

Grandoreiro makes use of two totally different mixtures of secret key and key size values, all the time hardcoded within the binary, and we already mentioned the login_string that’s used because the login.

The RTC documentation states that it will possibly solely deal with a restricted variety of connections directly. Contemplating that every related Host must ship no less than one request per second or else its connection is dropped, we consider that the explanation Grandoreiro makes use of a number of C&C servers is an try to not overwhelm any one in every of them.


On this blogpost, we have now supplied a peek backstage of our long-term monitoring of Grandoreiro that helped to make this disruption operation doable. We now have described in depth how Grandoreiro’s DGA works, what number of totally different configurations exist concurrently, and the way we have been in a position to spot many IP tackle overlaps amongst them.

We now have additionally supplied statistical data obtained from the C&C servers. This data supplies a superb overview of the victimology and focusing on, whereas additionally permitting us to see the precise stage of impression.

The disruption operation led by the Federal Police of Brazil geared toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy. ESET will proceed to trace different Latin American banking trojans whereas intently monitoring for any Grandoreiro exercise following this disruption operation.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.










MSI downloader




MSI downloader








Grandoreiro (with binary padding)




Internet hosting supplier

First seen






C&C server.





C&C server.





C&C server.





C&C server.





C&C server.





C&C server.





C&C server.





C&C server.





C&C server.





C&C server.



Grasp da Internet


C&C server.





Distribution server.





Distribution server.

MITRE ATT&CK methods

This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.





Useful resource Growth


Develop Capabilities: Malware

Grandoreiro builders develop their very own customized downloaders.

Preliminary Entry



Grandoreiro spreads by means of phishing emails.



Consumer Execution: Malicious File

Grandoreiro pressures victims to manually execute the phishing attachment.



Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Grandoreiro makes use of the usual Autostart places for persistence.


Hijack Execution Circulate: DLL Search Order Hijacking

Grandoreiro is executed by compromising the DLL search order.

Protection Evasion


Deobfuscate/Decode Information or Data

Grandoreiro is commonly distributed in password-protected ZIP archives.


Obfuscated Information or Data: Binary Padding

Grandoreiro EXEs used to have enlarged .rsrc sections with massive BMP photographs.


System Binary Proxy Execution: Msiexec

Grandoreiro downloaders are bundled inside MSI installers.


Modify Registry

Grandoreiro shops a part of its configuration information within the Home windows registry.



Software Window Discovery

Grandoreiro discovers on-line banking web sites primarily based on window names.


Course of Discovery

Grandoreiro discovers safety instruments primarily based on course of names.


Software program Discovery: Safety Software program Discovery

Grandoreiro detects the presence of banking safety merchandise.


System Data Discovery

Grandoreiro collects details about the sufferer’s machine, similar to %COMPUTERNAME% and working system.



Enter Seize: GUI Enter Seize

Grandoreiro can show faux pop-ups and seize textual content typed into them.


Enter Seize: Keylogging

Grandoreiro is able to capturing keystrokes.


E-mail Assortment: Native E-mail Assortment

Grandoreiro’s operators developed a device to extract e mail addresses from Outlook.

Command and Management


Knowledge Encoding: Non-Normal Encoding

Grandoreiro makes use of RTC, which encrypts information with a customized stream cipher.


Dynamic Decision: Area Era Algorithms

Grandoreiro depends solely on DGA to acquire C&C server addresses.


Encrypted Channel: Symmetric Cryptography

In RTC, encryption and decryption are completed utilizing the identical key.


Non-Normal Port

Grandoreiro typically makes use of non-standard ports for distribution.


Software Layer Protocol

RTC is constructed on prime of HTTP(S).



Exfiltration Over C2 Channel

Grandoreiro exfiltrates information to its C&C server.



System Shutdown/Reboot

Grandoreiro can pressure a system reboot.

Latest news
Related news


Please enter your comment!
Please enter your name here