[ad_1]
ESET has collaborated with the Federal Police of Brazil in an try to disrupt the Grandoreiro botnet. ESET contributed to the undertaking by offering technical evaluation, statistical info, and identified command and management (C&C) server domains and IP addresses. As a result of a design flaw in Grandoreiro’s community protocol, ESET researchers had been additionally in a position to get a glimpse into the victimology.
ESET automated methods have processed tens of hundreds of Grandoreiro samples. The area technology algorithm (DGA) the malware has used since round October 2020 produces one foremost area, and optionally a number of failsafe domains, per day. The DGA is the one manner Grandoreiro is aware of easy methods to report back to a C&C server. Apart from the present date, the DGA accepts static configuration as effectively – we’ve got noticed 105 such configurations as of this writing.
Grandoreiro’s operators have abused cloud suppliers reminiscent of Azure and AWS to host their community infrastructure. ESET researchers supplied information essential to figuring out the accounts accountable for organising these servers. Additional investigation carried out by the Federal Police of Brazil led to the identification and arrest of the people accountable for these servers. On this blogpost, we have a look at how we obtained the information to help legislation enforcement to execute this disruption operation.
Background
Grandoreiro is one among many Latin American banking trojans. It has been lively since at the least 2017 and ESET researchers have been carefully monitoring it ever since. Grandoreiro targets Brazil and Mexico, and since 2019 Spain as effectively (see Determine 1). Whereas Spain was probably the most focused nation between 2020 and 2022, in 2023 we noticed a transparent swap of focus in direction of Mexico and Argentina, the latter being new to Grandoreiro.
Determine 1. Grandoreiro detection charge (information since January 2020)
Performance-wise, Grandoreiro hasn’t modified very a lot since our final blogpost in 2020. We provide a short overview of the malware on this part and dive into the few adjustments, primarily new DGA logic, later.
When a Latin American banking trojan efficiently compromises a machine, it often points an HTTP GET request to a distant server, sending some primary details about the compromised machine. Whereas older Grandoreiro builds carried out this function, over time, the builders determined to drop it.
Grandoreiro periodically displays the foreground window to search out one which belongs to an online browser course of. When such a window is discovered and its identify matches any string from a hardcoded record of bank-related strings, then and solely then the malware initiates communication with its C&C server, sending requests at the least as soon as a second till terminated.
The operator has to work together manually with the compromised machine so as to steal a sufferer’s cash. The malware permits:
blocking the display of the sufferer,
logging keystrokes,
simulating mouse and keyboard exercise,
sharing the sufferer’s display, and
displaying pretend pop-up home windows.
Grandoreiro undergoes fast and fixed improvement. Often, we even noticed a number of new builds per week, making it troublesome to maintain observe. To display, in February 2022, Grandoreiro’s operators added a model identifier to the binaries. In Determine 2 we present how rapidly the model identifier modified. On common, it was a brand new model each 4 days between February 2022 and June 2022. Within the month-long hole between Could twenty fourth, 2022 and June twenty second, 2022 we continued to see new samples with progressing PE compilation instances, however they lacked the model identifier. On June twenty seventh, 2022 the model identifier modified to V37 and we haven’t seen it change since then, leaving us to conclude that this function was dropped.
Determine 2. Grandoreiro model historical past between February and June 2022
Latin American banking trojans share a variety of commonalities. Grandoreiro is just like different Latin American banking trojans primarily by the apparent core performance and in bundling its downloaders inside MSI installers. Prior to now, we’ve got noticed a number of circumstances the place its downloaders had been shared with Mekotio and Vadokrist, although not within the final two years. The Grandoreiro banking trojan’s foremost distinction from the opposite households had been its distinctive binary padding mechanism that massively engorges the ultimate executable (described in our blogpost in 2020). Over time, Grandoreiro’s operators added this anti-analysis method to its downloaders as effectively. To our shock, in Q3 2023, this function was utterly dropped from the banking trojan and downloader binaries and we haven’t noticed it since.
Since February 2022, we’ve got been monitoring a second variant of Grandoreiro that differs considerably from the principle one. We noticed it, in small campaigns, in March, Could, and June 2022. Primarily based on the overwhelming majority of its C&C server domains not resolving, its core options altering very often, and its community protocol not functioning correctly, we strongly consider it’s a work in progress; therefore we are going to deal with the principle variant on this blogpost.
Grandoreiro long-term monitoring
ESET methods designed for automated, long-term monitoring of chosen malware households have been monitoring Grandoreiro because the finish of 2017, extracting model info, C&C servers, targets and, because the finish of 2020, DGA configurations.
DGA monitoring
The DGA configuration is hardcoded within the Grandoreiro binary. Every configuration may be referred to by a string we name dga_id. Utilizing totally different configurations for the DGA yields totally different domains. We dive deeper into the DGA mechanism later within the textual content.
ESET has extracted a complete of 105 totally different dga_ids from the Grandoreiro samples identified to us. 79 of those configurations at the least as soon as generated a website that resolved to an lively C&C server IP deal with throughout the course of our monitoring.
The generated domains are registered by way of No-IP’s Dynamic DNS service (DDNS). Grandoreiro’s operators abuse the service to regularly change their domains to correspond with the DGA and to vary IP addresses at will. The overwhelming majority of the IP addresses these domains resolve to are supplied by cloud suppliers, primarily AWS and Azure. Desk 1 illustrates some statistics about IP addresses used for Grandoreiro C&C servers.
Desk 1. Statistical details about Grandoreiro C&C IP addresses since we began our monitoring
Info
Common
Minimal
Most
Variety of new C&C IP addresses per day
3
1
34
Variety of lively C&C IP addresses per day
13
1
27
Lifespan of C&C IP deal with (in days)
5
1
425
Very quickly after we started to trace the generated domains and their related IP addresses, we began to note that many domains generated by DGAs with totally different configurations resolve to the identical IP deal with (as illustrated in Determine 3). Which means that on a given day, victims compromised by Grandoreiro samples with totally different dga_id all linked to the identical C&C server. This phenomenon was no coincidence – we noticed it nearly every day throughout our monitoring.
Determine 3. Schema of an IP overlap in two totally different Grandoreiro DGA configurations
On a lot rarer events, we’ve got additionally noticed an IP deal with being reused by a special dga_id a number of days later. Solely this time, the parameters Grandoreiro used to determine a connection (defined later within the textual content) modified as effectively. Which means that, within the meantime, the C&C server aspect should have been reinstalled or reconfigured.
Our preliminary assumption was that the dga_id is exclusive for every DGA configuration. This later proved to be incorrect – we’ve got noticed two units of various configurations sharing the identical dga_id. Desk 2 exhibits each of them, “jjk” and “gh”, the place “jjk” and “jjk(2)” correspond to 2 totally different DGA configurations, identical as “gh” and “gh(2)”.
Desk 2 exhibits the clusters we had been in a position to observe. All DGA configurations that shared at the least one IP deal with are in the identical cluster and their related dga_ids are listed. Clusters that account for lower than 1% of all victims are disregarded.
Desk 2. Grandoreiro DGA clusters
Cluster ID
dga_id record
Cluster dimension
% of all C&C servers
% of all victims
1
b, bbh, bbj, bbn, bhg, cfb, cm, cob, cwe, dee, dnv, dvg, dzr, E, eeo, eri, ess, fhg, fox, gh, gh(2), hjo, ika, jam, jjk, jjk(2), JKM, jpy, ok, kcy, kWn, md7, md9, MRx, mtb, n, Nkk, nsw, nuu, occ, p, PCV, pif, rfg, rox3, s, sdd, sdg, sop, tkk, twr, tyj, u, ur4, vfg, vgy, vki, wtt, ykl, Z, zaf, zhf
62
93.6%
94%
2
jl2, jly
2
2.4%
2.5%
3
ibr
1
0.8%
1.6%
4
JYY
1
1.6%
1.1%
The most important cluster accommodates 78% of all lively dga_ids. It’s accountable for 93.6% of all C&C server IP addresses and 94% of all victims we’ve seen. The one different cluster consisting of greater than 1 dga_id is cluster 2.
Some sources declare that Grandoreiro operates as malware-as-a-service (MaaS). The Grandoreiro C&C server backend doesn’t permit simultaneous exercise of multiple operator without delay. Primarily based on Desk 2, the overwhelming majority of DGA-produced IP addresses may be clustered along with no clear distribution sample. Lastly, contemplating the community protocol’s heavy bandwidth necessities (we dive into that on the finish of the blogpost), we consider that the totally different C&C servers are used as a primitive load-balancing system and that it’s extra probably that Grandoreiro is operated by a single group or by a number of teams carefully cooperating with each other.
C&C monitoring
Grandoreiro’s implementation of its community protocol allowed ESET researchers to take a peek backstage and get a glimpse of the victimology. Grandoreiro C&C servers give away details about the linked victims on the time of the preliminary request to every newly linked sufferer. That stated, the information is biased by the variety of requests, their intervals, and the validity of the information supplied by the C&C servers.
Every sufferer linked to the Grandoreiro C&C server is recognized by a login_string – a string Grandoreiro constructs upon establishing the connection. Totally different builds use totally different codecs and totally different codecs comprise totally different info. We summarize the knowledge that may be obtained from the login_string in Desk 3. The Prevalence column exhibits a share of all of the codecs we’ve seen that maintain the corresponding sort of info.
Desk 3. Overview of data that may be obtained from a Grandoreiro sufferer’s login_string
Info
Prevalence
Description
Working system
100%
OS of sufferer’s machine.
Pc identify
100%
Title of sufferer’s machine.
Nation
100%
Nation that the Grandoreiro pattern targets (hardcoded within the malware pattern).
Model
100%
Model (version_string) of the Grandoreiro pattern.
Financial institution codename
92%
Codename of the financial institution that triggered the C&C connection (assigned by Grandoreiro’s builders).
Uptime
25%
Time (in hours) that the sufferer’s machine has been operating.
Display decision
8%
Display decision of the sufferer’s foremost monitor.
Username
8%
Username of the sufferer.
Three of the fields deserve a more in-depth rationalization. Nation is a string hardcoded within the Grandoreiro binary fairly than info obtained by way of applicable companies. Due to this fact, it serves extra like an meant nation of the sufferer.
Financial institution codename is a string Grandoreiro’s builders related to a sure financial institution or different monetary establishment. The sufferer visited that financial institution’s web site, which triggered the C&C connection.
The version_string is a string figuring out a selected Grandoreiro construct. It’s hardcoded within the malware and holds a string that identifies a selected construct sequence, a model (which we already talked about within the introduction), and a timestamp. Desk 4 illustrates the totally different codecs and the knowledge they maintain. Discover that a number of the timestamps comprise solely month and day, whereas others comprise the 12 months as effectively.
Desk 4. Record of various version_string codecs and their parsing
Model string
Construct ID
Model
Timestamp
DANILO
DANILO
N/A
N/A
(V37)(P1X)1207
P1X
V37
12/07
(MX)2006
MX
N/A
20/06
fox50.28102020
fox50
N/A
28/10/2020
MADMX(RELOAD)EMAIL2607
MADMX(RELOAD)EMAIL
N/A
26/07
One could also be tempted to say that the Construct ID really identifies the operator. Nevertheless, we don’t assume that’s the case. The format of this string could be very chaotic, typically it refers solely to a month through which the binary in all probability was constructed (like (AGOSTO)2708). Moreover, we strongly consider that P1X refers to a console utilized by Grandoreiro operator(s) referred to as PIXLOGGER.
C&C server monitoring – findings
On this part, we deal with what we’ve discovered by querying the C&C servers. All of the statistical information listed on this part has been obtained immediately from Grandoreiro C&C servers, not from ESET telemetry.
Previous samples are nonetheless lively
Every login_string we noticed accommodates the version_string and the overwhelming majority of these comprise the timestamp info (see Desk 3 and Desk 4). Whereas a variety of them comprise solely day and month, as appears to be the developer’s alternative occassionally, the oldest speaking pattern was timestamped 15/09/2020 – that’s from the time this DGA was first launched to Grandoreiro. The latest pattern was timestamped 12/23/2023.
Working system distribution
Since all the login_string codecs comprise OS info, we will paint an correct image of what working methods fell sufferer, as illustrated in Determine 4.
Determine 4. Working system distribution amongst Grandoreiro victims
(Supposed) nation distribution
We already talked about that Grandoreiro makes use of a hardcoded worth as a substitute of querying a service to acquire the nation of the sufferer. Determine 5 exhibits the distribution that we’ve got noticed.
Determine 5. (Supposed) nation codes distribution amongst Grandoreiro victims
This distribution is to be anticipated of Grandoreiro. Apparently, it doesn’t correlate with the heatmap depicted in Determine 1. Essentially the most logical rationalization is that the builds are usually not marked correctly to resemble their meant targets. For instance, the rise in assaults in Argentina isn’t mirrored in any respect by the hardcoded marking. Brazil accounts for nearly 41% of all victims, adopted by Mexico with 30% and Spain with 28%. Argentina, Portugal, and Peru account for lower than 1%. Apparently, we’ve got seen a number of (fewer than 10) victims marked as PM (Saint Pierre and Miquelon), GR (Greece), or FR (France). We consider these are both typos or produce other meanings fairly than aiming at these international locations.
Additionally word that whereas Grandoreiro added targets from many international locations exterior of Latin America as early as 2020, we’ve got noticed few to no campaigns focusing on these international locations and Determine 5 helps this.
Variety of victims
Now we have noticed that the typical variety of victims linked in a day is 563. Nevertheless, this quantity definitely accommodates duplicates, as a result of if a sufferer stays linked for a very long time, which we’ve noticed is commonly the case, then the Grandoreiro C&C server will report it on a number of requests.
Attempting to handle this problem, we outlined a novel sufferer as one with a novel set of figuring out traits (like pc identify, username, and so forth.) whereas omitting these which can be topic to vary (like uptime). With that, we ended up with 551 distinctive victims linked in a day on common.
Making an allowance for that we’ve got noticed victims who had been connecting to the C&C servers always for over a 12 months’s interval, we calculated a median variety of 114 new distinctive victims connecting to the C&C servers every day. We got here to this quantity by disregarding distinctive victims that we’ve got already noticed earlier than.
Grandoreiro internals
Allow us to focus, in depth, on the 2 most important options of Grandoreiro: the DGA and the community protocol.
DGA
Grandoreiro’s operators have carried out a number of sorts of DGAs through the years, with the newest one showing in July 2020. Whereas we seen a number of minor adjustments, the core of the algorithm hasn’t change since.
The DGA makes use of a selected configuration that’s hardcoded within the binary, saved as a number of strings. Determine 6 shows one such configuration (with dga_id “bbj”), reformatted in JSON for higher readability.
Determine 6. Grandoreiro DGA configuration, reformatted in JSON
Within the overwhelming majority of circumstances, the base_domain subject is freedynamicdns.org or zapto.org. As already talked about, Grandoreiro makes use of No-IP for its area registration. The base64_alpha subject corresponds to the customized base64 alphabet the DGA makes use of. The month_substitution is used to substitute a month quantity for a personality.
The dga_table types the principle a part of the configuration. It consists of 12 strings, every with 35 fields delimited by |. The primary entry of every line is the dga_id. The second and final entry characterize the month the road is meant for. The remaining 32 fields every characterize a worth for a special day of the month (leaving at the least one subject unused).
The logic of the DGA is proven in Determine 7. The algorithm first selects the right line and the right entry from it, treating it as a four-byte key. It then codecs the present date right into a string and encrypts it with the important thing utilizing a easy XOR. It then prepends the dga_id to the outcome, encodes the outcome utilizing base64 with a customized alphabet, after which removes any = padding characters. The ultimate result’s the subdomain that, along with base_domain, is for use because the C&C server for the present day. The half highlighted in crimson is a failsafe mechanism and we talk about it subsequent.
Determine 7. Grandoreiro DGA computation reimplemented in Python
Grandoreiro has carried out, in some builds, a failsafe mechanism for when the principle area fails to resolve. This mechanism isn’t current in all builds and its logic has modified a number of instances, however the primary concept is illustrated in Determine 7. It makes use of a configuration that’s fixed within the samples we analyzed and may be generated by the straightforward code proven in Determine 8. Every entry consists of a key, a prefix, and a base area.
The failsafe algorithm takes part of the principle C&C subdomain. It then iterates over all configuration entries, encrypts it utilizing XOR and prepends a prefix, just like the principle algorithm half.
Determine 8. Failsafe DGA configuration generator reimplemented in Python
Since September 2022, we’ve got began to look at samples that make the most of a barely modified DGA. The algorithm stays nearly an identical, however fairly than base64 encoding the subdomain within the ultimate step, a hardcoded prefix is prepended to it. Primarily based on our monitoring, this methodology has grow to be the dominant one since roughly July 2023.
Community protocol
Grandoreiro makes use of RTC Portal, a set of Delphi elements constructed on high of the RealThinClient SDK which is constructed on high of HTTP(S). The RTC Portal was discontinued in 2017 and its supply code revealed on GitHub. Basically, RTC Portal permits a number of Controls to remotely entry a number of Hosts. Hosts and Controls are separated by a mediator part referred to as Gateway.
Grandoreiro operators use a console (performing because the Management) to connect with the C&C server (performing as Gateway) and to speak with the compromised machines (performing as Hosts). To connect with Gateway, three parameters are required: a secret key, the important thing size, and a login.
The key key’s used to encrypt the preliminary request despatched to the server. Due to this fact, the server additionally must know the key key in order to decrypt the preliminary consumer request.
The important thing size determines the size of the keys to encrypt the visitors, established throughout the handshake. The visitors is encrypted utilizing a customized stream cipher. Two totally different keys are established – one for inbound and one for outbound visitors.
The login may be any string. The Gateway requires every linked part to have a novel login.
Grandoreiro makes use of two totally different mixtures of secret key and key size values, all the time hardcoded within the binary, and we already mentioned the login_string that’s used because the login.
The RTC documentation states that it will probably solely deal with a restricted variety of connections without delay. Contemplating that every linked Host must ship at the least one request per second or else its connection is dropped, we consider that the explanation Grandoreiro makes use of a number of C&C servers is an try to not overwhelm any one among them.
Conclusion
On this blogpost, we’ve got supplied a peek backstage of our long-term monitoring of Grandoreiro that helped to make this disruption operation attainable. Now we have described in depth how Grandoreiro’s DGA works, what number of totally different configurations exist concurrently, and the way we had been in a position to spot many IP deal with overlaps amongst them.
Now we have additionally supplied statistical info obtained from the C&C servers. This info offers a wonderful overview of the victimology and focusing on, whereas additionally permitting us to see the precise degree of impression.
The disruption operation led by the Federal Police of Brazil geared toward people who’re believed to be excessive up within the Grandoreiro operation hierarchy. ESET will proceed to trace different Latin American banking trojans whereas carefully monitoring for any Grandoreiro exercise following this disruption operation.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis presents personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Information
SHA-1
Filename
Detection
Description
FB32344292AB36080F2D040294F17D39F8B4F3A8
Notif.FEL.RHKVYIIPFVBCGQJPOQÃ.msi
Win32/Spy.Grandoreiro.DB
MSI downloader
08C7453BD36DE1B9E0D921D45AEF6D393659FDF5
RYCB79H7B-7DVH76Y3-67DVHC6T20-CH377DFHVO-6264704.msi
Win32/Spy.Grandoreiro.DB
MSI downloader
A99A72D323AB5911ADA7762FBC725665AE01FDF9
pcre.dll
Win32/Spy.Grandoreiro.BM
Grandoreiro
4CDF7883C8A0A83EB381E935CD95A288505AA8B8
iconv.dll
Win32/Spy.Grandoreiro.BM
Grandoreiro (with binary padding)
Community
IP
Area
Internet hosting supplier
First seen
Particulars
20.237.166[.]161
DGA‑generated
Azure
2024‑01‑12
C&C server.
20.120.249[.]43
DGA‑generated
Azure
2024‑01‑16
C&C server.
52.161.154[.]239
DGA‑generated
Azure
2024‑01‑18
C&C server.
167.114.138[.]249
DGA‑generated
OVH
2024‑01‑02
C&C server.
66.70.160[.]251
DGA‑generated
OVH
2024‑01‑05
C&C server.
167.114.4[.]175
DGA‑generated
OVH
2024‑01‑09
C&C server.
18.215.238[.]53
DGA‑generated
AWS
2024‑01‑03
C&C server.
54.219.169[.]167
DGA‑generated
AWS
2024‑01‑09
C&C server.
3.144.135[.]247
DGA‑generated
AWS
2024‑01‑12
C&C server.
77.246.96[.]204
DGA‑generated
VDSina
2024‑01‑11
C&C server.
185.228.72[.]38
DGA‑generated
Grasp da Net
2024‑01‑02
C&C server.
62.84.100[.]225
N/A
VDSina
2024‑01‑18
Distribution server.
20.151.89[.]252
N/A
Azure
2024‑01‑10
Distribution server.
MITRE ATT&CK strategies
This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.
Tactic
ID
Title
Description
Useful resource Growth
T1587.001
Develop Capabilities: Malware
Grandoreiro builders develop their very own customized downloaders.
Preliminary Entry
T1566
Phishing
Grandoreiro spreads via phishing emails.
Execution
T1204.002
Person Execution: Malicious File
Grandoreiro pressures victims to manually execute the phishing attachment.
Persistence
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Grandoreiro makes use of the usual Autostart areas for persistence.
T1574.001
Hijack Execution Circulate: DLL Search Order Hijacking
Grandoreiro is executed by compromising the DLL search order.
Protection Evasion
T1140
Deobfuscate/Decode Information or Info
Grandoreiro is commonly distributed in password-protected ZIP archives.
T1027.001
Obfuscated Information or Info: Binary Padding
Grandoreiro EXEs used to have enlarged .rsrc sections with giant BMP photographs.
T1218.007
System Binary Proxy Execution: Msiexec
Grandoreiro downloaders are bundled inside MSI installers.
T1112
Modify Registry
Grandoreiro shops a part of its configuration information within the Home windows registry.
Discovery
T1010
Software Window Discovery
Grandoreiro discovers on-line banking web sites based mostly on window names.
T1057
Course of Discovery
Grandoreiro discovers safety instruments based mostly on course of names.
T1518.001
Software program Discovery: Safety Software program Discovery
Grandoreiro detects the presence of banking safety merchandise.
T1082
System Info Discovery
Grandoreiro collects details about the sufferer’s machine, reminiscent of %COMPUTERNAME% and working system.
Assortment
T1056.002
Enter Seize: GUI Enter Seize
Grandoreiro can show pretend pop-ups and seize textual content typed into them.
T1056.001
Enter Seize: Keylogging
Grandoreiro is able to capturing keystrokes.
T1114.001
E-mail Assortment: Native E-mail Assortment
Grandoreiro’s operators developed a device to extract e mail addresses from Outlook.
Command and Management
T1132.002
Information Encoding: Non-Normal Encoding
Grandoreiro makes use of RTC, which encrypts information with a customized stream cipher.
T1568.002
Dynamic Decision: Area Technology Algorithms
Grandoreiro depends solely on DGA to acquire C&C server addresses.
T1573.001
Encrypted Channel: Symmetric Cryptography
In RTC, encryption and decryption are carried out utilizing the identical key.
T1571
Non-Normal Port
Grandoreiro usually makes use of non-standard ports for distribution.
T1071
Software Layer Protocol
RTC is constructed on high of HTTP(S).
Exfiltration
T1041
Exfiltration Over C2 Channel
Grandoreiro exfiltrates information to its C&C server.
Influence
T1529
System Shutdown/Reboot
Grandoreiro can power a system reboot.
[ad_2]