Go to listing page

Grandoreiro Banking Trojan is Back with New Tactics and New Targets

Grandoreiro Banking Trojan is Back with New Tactics and New Targets
Grandoreiro, an infamous banking trojan, has been discovered in recent attacks targeting employees of chemicals and automotive manufacturers. The entities are based in Spain and Mexico.

About Grandoreiro

Zscaler spotted a campaign involving Grandoreiro’s new variant, which started in June and is still active. The variant has new features, including a revamped C2 system to avoid detection and analysis.
  • The infection chain starts with the use of a spear-phishing email that claims to come from the Spanish Public Ministry or the Attorney General's Office of Mexico City, on the basis of the target.
  • The topic of the spam email includes notices of litigation changes, state refunds, and cancellation of mortgage loans, among others. The email has a link redirecting victims to a website dropping ZIP archive.

Payload execution and infection 

The archive file includes the Grandoreiro loader module masked as a PDF file to fool the victim into executing it. 
  • When executed, a Delphi payload is obtained from a remote HTTP file server as a ZIP file.
  • The ZIP file is extracted and executed by the loader that additionally collects system details, obtains a list of installed AV programs, cryptocurrency wallets, and e-banking apps, and sends them to the C2.
  • The final payload, signed with a stolen certificate from ASUSTEK, is an inflated size of 400MB using binary padding to avoid sandbox analysis.

Additional capabilities

Researchers further noted that persistence between reboots is done via adding two new Registry keys and setting trojan to execute at system startup.
  • In one instance, to evade analysis, the trojan even asks the victim to solve a CAPTCHA.
  • The backdoor capabilities on the host include keylogging, auto-update for newer versions and modules, command execution, manipulating windows, and web injects.
  • One new addition in the recent Grandoreiro variant is the use of a Domain Generation Algorithm (DGA) for C2 communications, which makes the mapping of malware's infrastructure more challenging.


Grandoreiro operators are only interested in carrying out highly-targeted attacks as they continue to innovate their tactics. Thus, deploying advanced security solutions, such as using real-time threat intelligence to keep up with changing TTPs of the malware, is imperative to stay protected.
Cyware Publisher