{"description": "Enterprise techniques used by Grandoreiro, ATT&CK software S0531 (v1.2)", "name": "Grandoreiro (S0531)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can bypass UAC by registering as the default handler for .MSC files.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can parse Outlook .pst files to extract e-mail addresses.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has the ability to use HTTP in C2 communications.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can identify installed security tools based on window names.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use run keys and create link files in the startup folder for persistence.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can write or modify browser shortcuts to enable launching of malicious browser extensions.(Citation: IBM Grandoreiro April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can capture clipboard data from a compromised host.(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use VBScript to execute malicious code.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can steal cookie data and credentials from Google Chrome.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can decrypt its encrypted internal strings.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.(Citation: ESET Grandoreiro April 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1686.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. (Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has used compromised websites and Google Ads to bait victims into downloading its installer.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use SSL in C2 communication.(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can send data it retrieves to the C2 server.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can modify the binary ACL to prevent security tools from running.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can delete .LNK files created in the Startup folder.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can download its second stage from a hardcoded URL within the loader's code.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can log keystrokes on the victim's machine.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has named malicious browser extensions and update files to appear legitimate.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can modify the Registry to store its configuration at `HKCU\\Software\\` under frequently changing names including %USERNAME% and ToolTech-RM.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can execute through the WinExec API.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can store its configuration in the Registry at `HKCU\\Software\\` under frequently changing names including %USERNAME% and ToolTech-RM.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [Grandoreiro](https://attack.mitre.org/software/S0531) payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has been spread via malicious links embedded in e-mails.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can identify installed security tools based on process names.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use malicious browser extensions to steal cookies and other user information.(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can steal the victim's cookies to use for duplicating the active session from another device.(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can use MSI files to execute DLLs.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can collect the computer name and OS version from a compromised host.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can determine the IP and physical location of the compromised host via IPinfo.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can collect the username from the victim's machine.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can determine the time on the victim machine via IPinfo.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has used malicious links to gain execution on victim machines.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) has infected victims via malicious attachments.(Citation: IBM Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can detect VMWare via its I/O port and Virtual PC via the vpcext instruction.(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can obtain C2 information from Google Docs.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Grandoreiro](https://attack.mitre.org/software/S0531) can utilize web services including Google sites to send and receive C2 data.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Grandoreiro", "color": "#66b1ff"}]}