Originally focused on Brazilian users, Grandoreiro has expanded its reach globally. It uses advanced evasion techniques<\/strong> to avoid detection, such as encrypting strings with a custom algorithm and employing anti-sandbox<\/strong> measures to hinder automated analysis. Additionally, Grandoreiro can dynamically change its command-and-control (C2)<\/strong> infrastructure based on the victim’s location, making it harder to track.<\/p>\n\n\n\n Grandoreiro continues to pose a significant threat, especially to online banking<\/strong> users, and remains one of the main tools for credential theft<\/strong> in the region.<\/p>\n\n\n\n Just as in other related campaigns, Grandoreiro is distributed using phishing emails with attachments containing VBS files.<\/p>\n\n\n When the user executes the sample, this will decrypt and install both .exe and .txt files with random name.<\/p>\n\n\n Next, the binary will be launched, which will display a window requesting the user to click the “Open” button in order to view the PDF document. Attackers use this technique to require user interaction with the malware and make automatic analysis through sandboxes more difficult.<\/p>\n\n\n Once the button is clicked, several checks will be performed to verify that the program is running on a real machine. If it is running in a sandbox, the following message will be displayed on the screen.<\/p>\n\n\n The malware will create a mutex with the date of the day it is executed to prevent two instances of the same from running simultaneously.<\/p>\n\n\n Then, it checks the geolocation of the device by making a request to the legitimate site ip-api.com<\/strong>. Later, this information will be exfiltrated to the C2 server.<\/p>\n\n\n Finally, the service dns.google<\/strong> will be used to obtain the IP address of the domain, and this IP will be used to connect to the C2 instead of the domain.<\/p>\n\n\n To hinder analysis, all strings used in the malware are encrypted with a custom algorithm<\/strong>. In particular, Grandoreiro protects various types of strings through encryption, which it will decrypt as part of its operation once it determines that it is not running in a monitored environment. These include: highlighted messages it can use, domains, processes it will check to verify if it is in a sandbox, and other indicators that could be revealing or used in potential detection rules.<\/p>\n\n\n\n The encrypted strings consist of two elements: a key (composed of the first two and last two characters) and the message encoded in base64.<\/p>\n\n\n Based on this key, a series of mathematical operations are performed to transform it into an integer that will be used as a seed for a Linear Congruential Generator (LCG), a pseudo-random number generation algorithm. The generated values will be used to permute the string “!@#$%^&*()_+-=[]{}|;:,.<>?”<\/strong>, which will then be concatenated with the string “50600tvc0415”<\/strong> to be used as a password for decrypting the strings using XOR operations.<\/p>\n\n\n As a summary, a diagram explaining the string decryption routine is shown below, considering the final decrypted string “Google Chrome” as example.<\/p>\n\n\n It is expected that in future campaigns, the decryption routine may vary, as it has in previous campaigns. By following this code, it is possible to decrypt the strings protected by Grandoreiro samples and, in doing so, obtain the IOCs, even if the sample evades the sandbox.<\/p>\n\n\n\nDescription of the campaign<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-1.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-2.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-3.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/imagen.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-5.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-6-1024x367.png\")
String Decryption Routine<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-7.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/image-8.png\")
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/03\/CIPHER-1-1024x536.png\")
Indicators of Compromise (IoC)<\/h1>\n\n\n\n
Domains<\/h2>\n\n\n\n
\n
Grandoreiro samples<\/h2>\n\n\n\n
\n