The Grandoreiro Chronicles
How Mimecast became our cybersecurity superhero
Introduction
Imagine you're just sipping your morning coffee, ready to dive into your emails, and bam! There's a phishing email campaign waiting to wreak havoc. Sounds like a scene from a cyber-thriller. Well, it's more common than you'd think. This sneaky malware has been giving Security folks sleepless nights. But fear not! Mimecast, the trusty sidekick has been helping keep the cybercriminals at bay. Let's dive into the story of how Mimecast helped us fend off the notorious Grandoreiro and saved the day.
A brief history of trouble
Grandoreiro might sound like an exotic vacation spot in the Caribbean, but it's actually a pesky banking Trojan from Latin America. This malware has evolved since its debut in 2017, expanding its targets from local banks to numerous fintech companies like MercadoLibre and even crypto exchanges. It's like the digital version of a pickpocket who's constantly honing his craft.
How it works
Grandoreiro displays fake pop-ups, known as 'overlays,' that blend seamlessly with the original site when a user visits a fintech or bank website, freezing the original site and asking for account details or other information that could lead to compromising the account.
How it sneaks in
Grandoreiro uses some classic tricks to get into your system:
Phishing Emails: Disguised as important messages, these emails lure you into clicking malicious links or downloading harmful attachments.
Drive-by Downloads: Visiting a compromised website is all it takes for the malware to silently slip into your system.
Fake Software Updates: Ever been prompted to update your software out of the blue?
All the above.
Dodging detection
This malware is as slippery as they come. Here’s how it avoids getting caught:
Code Obfuscation: It scrambles its code to make it hard for security software to detect.
Anti-VM Techniques: If it senses it's being analyzed in a virtual machine, it behaves differently to throw off the researchers.
Dynamic C2 Servers: Constantly changing command and control servers make it tough to block its communications.
Bloated Increased File Size: Only includes a portion of the actual viable usable code for the attacks. The rest is filled with unusable code to make the file larger to avoid analysis, confuse analysts and avoid automated tools due to file size analysis limits.
What happens when it strikes
Once Grandoreiro is in, it’s like having a nosy thief going through your desk drawers. And by noisy we mean really noisy, up to the point where most of their samples are flagged by many AV solutions with different brandings (as it redresses with different names and subjects).
But if it manages to sneak past, here’s what it can do:
Steal Credentials: Captures your keystrokes, takes screenshots and form data to snatch your banking details.
Exfiltrate Data: Sends your sensitive information to its remote servers.
Control Your System: Allows attackers execute commands remotely, giving them full control over your device.
Transaction Hijacking: Potentially manipulating transactions or initiating unauthorized transactions on the user's behalf.
Spotting the signs
Keep an eye out for these red flags:
Before the infection, Grandoreiro conducts phishing campaigns impersonating well-known brands and subjects to trick users, including:
Banks: Popular national and international banks.
Fintech Companies: Firms like MercadoLibre.
Crypto Exchanges: Platforms for cryptocurrency trading.
Payment Systems: Online payment services.
Government Agencies: Tax authorities or social services.
Shipping Companies: Well-known delivery services.
After a successful infection, look out for its noisy activity:
Strange network traffic to suspicious domains or IPs.
Like one of your accounts suddenly signing in from China… or Brazil.
Unknown files or programs appearing on your system.
Odd system behavior, like unexpected popups (specially when browsing banking or fintech websites) or slow performance.
Here are some real-life screenshots of what to look for:
Meet your sidekick
Mimecast isn’t just another security tool, it’s like having a digital bodyguard that’s always alert.
Here’s how it stands up to Grandoreiro:
Advanced Threat Protection + URL Protect: Scans and rewrites suspicious URLs in emails, preventing you from accidentally visiting malicious sites.
Attachment Protect: Uses sandboxing to safely open and analyze email attachments.
Impersonation Protection: Blocks phishing emails that try to impersonate trusted contacts, making sure you’re not fooled by clever tricks.
Intelligent Filtering: Employs smart algorithms to weed out spam and malicious emails before they hit your inbox.
Threat Intelligence: Stays ahead of the curve by using global threat intelligence to recognize and neutralize new threats.
User Training: Offers training programs to help you recognize phishing attempts and stay vigilant.
Real life heroes
Let’s take a closer look at how Mimecast thwarted a Grandoreiro attack:
Detection: Mimecast’s URL Protect flagged a phishing email with a link to a fake banking site.
Prevention: The malicious link was rewritten and blocked, preventing access.
Conclusion
Grandoreiro may be a cunning adversary, but with Mimecast by your side, you can sip your morning coffee without worry. Mimecast’s layered security approach ensures that you’re protected from the latest threats, giving you peace of mind in a world full of cybercriminals.
References
Appendix I: IOCs
IPV4:244.18.205.92
URL:https://244.18.205.92[.]host.secureserver[.]net/rmcadvogados?facdigital-web/ConsultaClaro[.]aspx?nroFactura=9203-22988292&tokenValue=3233d6e527ebc123acf78373d3f0edb4135e3992
URL:stpfactsolutionselectri[.]com?docs/pdf/15540f02-d006-4e3b-b2de-6873baff3b2a
Domain:stpfactsolutionselectri[.]com
File:❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑧②②⑧③②.msi
MD5:6ba06a1f2bdb811877e3d95aca9d7f6c
SHA-1:b92f478ef5aaf0fbe8cb8783186f3d92a4a4242aAppendix II: Intelligence Pulse + New IOCs
A new campaign was launched mid May, which produced new intelligence and indicators of compromise.