Skip to content

ESET investigates Grandoreiro, a trojan exploiting the coronavirus pandemic

BRATISLAVA, PRAGUE – As part of an ongoing series on Latin American banking trojans, ESET researchers take an in-depth look at Grandoreiro. This trojan targets users especially in Brazil, Mexico, Spain and Peru. Distributed almost exclusively through email spam, it has lately started to utilize fake websites capitalizing on the global coronavirus pandemic. Grandoreiro reveals a persistent effort from its authors to evade detection. Although ESET has seen Grandoreiro primarily distributed through spam, where the authors usually utilize a fake Java or Flash update, recently we have observed a shift to COVID19 related scams. The trojan was hiding in videos on fake websites promising information about the coronavirus. However, instead of playing, clicking the video leads to the download of a payload on visitors’ devices.Grandoreiro has been active since at least 2017 in Brazil and Peru, expanding to Mexico and Spain in 2019. As with other Latin American banking trojans in this series, Grandoreiro attacks its victims by displaying fake pop-up windows as a ploy to get them to divulge sensitive information.

The backdoor functionality of Grandoreiro includes manipulating windows; updating itself; capturing keystrokes; simulating mouse and keyboard actions; navigating browsers to chosen URLs; signing out and restarting machines; and blocking access to websites. Grandoreiro collects various information about affected machines and, in some versions, it also steals credentials stored in Google Chrome as well as data stored in Microsoft Outlook browsers.“For a Latin American banking trojan, Grandoreiro utilizes a surprisingly large number of tricks to evade detection and emulation. That includes many techniques to detect or even disable banking protection software,” says ESET researcher Robert Šuman, leading the team analyzing Grandoreiro. “They seem to be developing the banking trojan very rapidly. Almost every new version we see introduces some changes. We also suspect they are developing at least two variants simultaneously. Interestingly, from a technical point of view, they also utilize a very specific application of the binary padding technique that makes it hard to get rid of the padding while keeping a valid file,” adds Šuman.Unlike the majority of Latin American banking trojans, Grandoreiro utilizes quite small distribution chains. For different campaigns, it may choose a different type of downloader. These downloaders are often stored on well-known public online sharing services such as GitHub, Dropbox, Pastebin, 4shared or 4Sync.

For more technical details about Grandoreiro, read the blogpost “Grandoreiro: How engorged can an EXE get?” on WeLiveSecurity.com. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research dissects Guildma: Most impactful and YouTube-abusing Latin American banking trojan

BRATISLAVA, PRAGUE – In the latest installment about Latin American banking trojans, ESET researchers take a deep look at the most impactful and advanced banking trojan we have seen in this series and in the region: Guildma. This malware is specifically targeting banking institutions and attempts to steal credentials for email accounts, e-shops and streaming services in Brazil. It affects at least 10 times as many victims as other Latin American banking trojans that ESET Research has analyzed. During its peak – a massive campaign in 2019 – ESET recorded up to 50,000 attacks per day. Guildma spreads exclusively via spam emails with malicious attachments.

In one of its latest versions, Guildma employs a new way of distributing command and control servers, abusing YouTube and Facebook profiles. However, the authors stopped using Facebook almost immediately and, at least at this time, are relying fully on YouTube.

“Guildma uses very innovative methods of execution and sophisticated attack techniques. The actual attack is orchestrated by its C&C server. This gives the authors greater flexibility to react to countermeasures implemented by the targeted banks,” explains Robert Šuman, the ESET researcher leading the team analyzing Guildma.

Guildma boasts a backdoor with multiple functionalities, including taking screenshots, capturing keystrokes, emulating keyboard and mouse, blocking shortcuts (such as disabling Alt + F4 to make it harder to get rid of fake windows it may display), downloading and executing files, and/or rebooting the machine. In addition, Guildma is very modular and currently consists of at least 10 modules. The malware uses tools already present on the machine and reuses its own techniques. “New techniques are added every once in a while, but for the most part, the developers seem to simply reuse techniques from older versions,” says Šuman.

In one of the earlier 2019 versions, Guildma added the capability to target institutions (mainly banks) outside of Brazil. Despite that, over the past 14 months, ESET has not observed any international campaigns outside Brazil. The attackers went as far as to block any downloads from non-Brazilian IP addresses.

Guildma campaigns were ramping up slowly until a massive campaign in August 2019, when ESET Research recorded up to 50,000 samples per day. This campaign went on for almost two months and accounted for more than double the amount of detections seen in the 10 months prior.

First-stage Guildma detections since July 2019

First-stage Guildma detections since July 2019

The trojan has seemingly gone through many versions during its development, but there was usually very little development between versions due to its clunky architecture.

Distribution chain of Guildma in the latest version analyzed by ESET (150)

Guildma shares several prevailing characteristics of Latin American banking trojans. For more technical details, read the blog post Guildma: The devil drives electric on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads

BRATISLAVA – ESET, a global leader in cybersecurity, continues its research into Latin American banking trojans with the identification of another previously unknown malware family, Mispadu.

Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.

The ESET research team has seen the Mispadu family using two different distribution methods – spam and malvertising. While the former is common among Latin American banking trojans, the latter is quite rare. The threat actor behind Mispadu places sponsored advertisements on Facebook that offer fake discount coupons for McDonald’s. Clicking on the advertisement leads the potential victim to a malicious webpage where a ZIP file containing an MSI installer, masquerading as a discount coupon, can be downloaded. If downloaded and executed, a chain of three scripts follows, resulting in the download and execution of the Mispadu banking trojan. The trojan uses four potentially unwanted applications, all modified copies of legitimate software, to extract the victim’s stored credentials from web browsers and email clients.

In Brazil, Mispadu has been seen also distributing an interesting, malicious Google Chrome extension. The extension claims to “Protect your Chrome,” but instead it attempts to steal credit card and online banking data, and can even compromise Boleto, a popular payment system in Brazil that uses a barcode-based ticketing system to transfer payments. The Boleto component of the Mispadu malware attack is its most advanced feature, as it replaces the legitimate barcode on a Boleto ticket with one connected to the attacker’s bank account, generated via the abuse of a legitimate website.

For more details, read the blog post, Mispadu: advertisement for a discounted Unhappy Meal, on WeLiveSecurity.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.