[x] Block Grandoreiro an Android banking trojan - targeting 1500 banks and 266 cryptocurrency products.
Description
Grandoreiro operators significantly upgraded the list of targeted banking applications, now targeting more than 1500 banks worldwide. The latest variants start by first determining if the victim is on the list of targeted countries. Each country is also mapped to a larger region, which Grandoreiro uses to determine which string searches it should run on currently active windows. This means that, if the victim country for instance is identified as Belgium, it will search for all targeted banking applications associated with the Europe region. Grandoreiro internally maps countries to the region categories Europe, North America, Central America, South America, Africa, Indo-Pacific and global islands, with each region having an associated Delphi class to search for bank applications. In addition, Grandoreiro has a class searching for 266 unique strings identifying cryptocurrency wallets, which is run on every infection.
Enhancement idea
Grandoreiro
an Android banking trojan - targeting 1500 banks and 266 cryptocurrency products.Description
Grandoreiro operators significantly upgraded the list of targeted banking applications, now targeting more than 1500 banks worldwide. The latest variants start by first determining if the victim is on the list of targeted countries. Each country is also mapped to a larger region, which Grandoreiro uses to determine which string searches it should run on currently active windows. This means that, if the victim country for instance is identified as Belgium, it will search for all targeted banking applications associated with the Europe region. Grandoreiro internally maps countries to the region categories Europe, North America, Central America, South America, Africa, Indo-Pacific and global islands, with each region having an associated Delphi class to search for bank applications. In addition, Grandoreiro has a class searching for 266 unique strings identifying cryptocurrency wallets, which is run on every infection.
Links
https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/
IOC
I2P websites
n/a
IPFS websites
n/a
Tor2web websites
n/a
TOR websites
n/a
URL's
n/a
Folders
n/a
Sub-Domains
Above:
*.cloudapp.azure.com
Domains
Free DNS:
IP's
ASN's
n/a
Emails
Wallet addresses
n/a
Mining pool addresses
n/a