Wednesday, May 7, 2025
Homecyber securityGrandoreiro Malware Hijacks Outlook Client to Send Phishing Emails

Grandoreiro Malware Hijacks Outlook Client to Send Phishing Emails

Published on

SIEM as a Service

Follow Us on Google News

X-Force identified a phishing campaign targeting Latin American users since March 2024, where emails impersonate legitimate entities like tax and utility services, urging recipients to click links for invoices or account statements. 

Clicking the link redirects users in specific countries to a fake PDF icon while downloading a malicious ZIP archive containing an executable disguised as a PDF, which leverages urgency and exploits trust in official institutions to trick users into compromising their systems. 

Sample emails impersonating SAT, and CFE

For the first time, the phishing campaign targets users outside Latin America. The emails impersonate tax authorities like the South African Revenue Service (SARS) and leverage familiar tactics used in past Grandoreiro campaigns in Latin America.

- Advertisement - Google News

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

These emails, written in English or Spanish, reference a tax number and a downloadable invoice.

Clicking the provided PDF or XML link triggers a ZIP archive download containing a Grandoreiro loader disguised as a tax document (e.g., “SARS 35183372 eFiling 32900947.exe”).  

Sample emails impersonating SAT and SARS

The Grandoreiro loader, the first stage of a multi-component banking trojan, utilizes a custom three-step decryption process to protect its functionality. First, it extracts a key string from its hardcoded, triple-Base64 encoded form. 

Grandoreiro fake Adobe PDF reader CAPTCHA

Then, it converts the encrypted strings using a custom hex encoding scheme before feeding them into the original Grandoreiro decryption algorithm along with the key string. 

Finally, the loader performs AES-CBC decryption and unpadding using yet another set of decrypted keys to retrieve the final plaintext strings. 

Grandoreiro loader string decryption

Grandoreiro malware verifies a victim’s environment by collecting data like computer name, OS version, and running processes, then checks it against a blacklist; it also avoids specific countries and Windows 7 machines in the US without antivirus

Next, it builds a victim profile for the C2 server, including location data, installed software (e.g., anti-virus, crypto wallets), and hardware details (e.g., monitors), which is sent encrypted to the C2 server. 

The Grandoreiro loader decrypts the C2 server address using a specific algorithm, uses DNS over HTTPS to retrieve the IP address, and then sends an HTTP GET request with an encrypted message to the C2 server for the final payload. 

After receiving the payload download URL and other information, the loader downloads the payload, decrypts it with a key and decompresses it. 

Example

It checks for specific privileges and executes the Grandoreiro banking trojan with or without privilege escalation.

Throughout the process, the loader communicates with the C2 server, reporting success or error messages. 

It establishes persistence by creating a registry run key and storing its configuration in an encrypted .CFG file, and targets over 1500 banks worldwide by determining the victim’s country and launching region-specific attacks. 

Grandoreiro launching a new thread based on the detected country region

The malware searches for targeted banking applications and cryptocurrency wallets based on predefined strings, and if the configuration file is missing, Grandoreiro creates a new one with default values.

Grandoreiro is a banking trojan that uses a Domain Generation Algorithm (DGA) with multiple seeds to calculate C2 server addresses.

The DGA generates different subdomains for the main C2 server and function-specific C2 servers by combining the current date, a seed string, and a custom character mapping. 

According to Security Intelligence, the malware can perform various actions, including remote control, file transfer, and web browsing. It can also steal banking information by simulating clicks on web pages.

Grandoreiro banking trojan string decryption

Grandoreiro employs a layered decryption process for its numerous strings, as it first extracts the key using a custom method with key “A”, then decodes the encrypted string and decrypts it with AES-ECB using a scrambled version of the key.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by...

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution,...

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by...

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution,...