Block `Grandoreiro` an Android banking trojan - targeting 1500 banks and 266 cryptocurrency products

[summercms]

Enhancement idea

• [x] Block Grandoreiro an Android banking trojan - targeting 1500 banks and 266 cryptocurrency products.

Description

Grandoreiro operators significantly upgraded the list of targeted banking applications, now targeting more than 1500 banks worldwide. The latest variants start by first determining if the victim is on the list of targeted countries. Each country is also mapped to a larger region, which Grandoreiro uses to determine which string searches it should run on currently active windows. This means that, if the victim country for instance is identified as Belgium, it will search for all targeted banking applications associated with the Europe region. Grandoreiro internally maps countries to the region categories Europe, North America, Central America, South America, Africa, Indo-Pacific and global islands, with each region having an associated Delphi class to search for bank applications. In addition, Grandoreiro has a class searching for 266 unique strings identifying cryptocurrency wallets, which is run on every infection.

Links

https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/

IOC

I2P websites

n/a

IPFS websites

n/a

Tor2web websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

hilcfacdigitaelpichipt.norwayeast.cloudapp.azure.com
officebusinessaccount.eastus.cloudapp.azure.com
onwfacttasunslahf.norwayeast.cloudapp.azure.com
servicerevenueza.southeastasia.cloudapp.azure.com

Above: *.cloudapp.azure.com

Domains

crazydocuments.com
pjohconstruccionescpaz.com
rufnag.com

Free DNS:

dnsfor.me
neat-url.com

IP's

15.228.245.103
15.229.211.175
18.231.158.159
18.231.181.227

ASN's

n/a

Emails

assistance@gov.za
gruposat@gob.mx
marcasat@gob.mx
root@zpmbnoxf.crazydocuments.com

Wallet addresses

n/a

Mining pool addresses

n/a