What Is Grandoreiro?
Grandoreiro is financially motivated malware designed to steal banking credentials and help attackers gain access to sensitive financial accounts. It has been active since at least 2016 and has evolved into one of the more widely distributed banking trojans seen in Spanish- and Portuguese-speaking regions.
While banking trojans are often described simply as credential stealers, Grandoreiro is more than that. It can monitor user activity, capture keystrokes, interact with banking sessions, display fake overlay windows, execute attacker commands, and attempt to avoid analysis in sandbox or research environments.
How the Campaign Begins
The infection chain starts with phishing. Victims receive messages containing malicious links that appear to lead to legitimate content or downloads. In the observed campaigns, attackers abused trusted or common hosting services to make the activity look less suspicious.
Instead of relying on obviously malicious files, the campaign uses a more subtle approach: it delivers ZIP files containing legitimate applications bundled with malicious DLL files. Users and security tools may initially see a known software name and treat the download as less suspicious which is exactly the point.
DLL Side-Loading: Hiding Inside Legitimate Software
One of the key techniques in this campaign is DLL side-loading.
DLL side-loading happens when attackers place a malicious DLL next to a legitimate executable. When the legitimate program runs, it loads the attacker's DLL instead of the expected clean library, allowing malware to execute under the cover of trusted software.
This technique is popular because it blends malicious activity with normal-looking application behavior. For defenders, that means detection should not only focus on whether an executable is trusted. It should also consider what libraries the executable loads, where those libraries came from, and whether the file combination makes sense for that application.
Why WebRTC, STUN, ICE, and Cloud References Matter
A notable part of this campaign is the use of components associated with real-time communications and cloud services. WatchGuard observed references to WebRTC-related technologies such as STUN and ICE, as well as integrations or references tied to cloud and messaging services.
This matters because traffic linked to conferencing, peer-to-peer communication, cloud messaging, or IoT-style protocols can be noisy in real environments. Attackers benefit from that noise. When malicious traffic resembles common business traffic, defenders have a harder time separating normal activity from suspicious behavior.
The lesson is not that WebRTC or cloud services are dangerous by themselves. The lesson is that attackers increasingly borrow patterns from legitimate software ecosystems to make malware harder to identify.
A Second Delivery Path: Malicious Scripts and Fake Updates
WatchGuard also described another Grandoreiro-related campaign that uses a heavily obfuscated VBS script. In that chain, victims are sent to a fake, geofenced page that ultimately leads to a malicious file. Once executed, the malware displays a fake Adobe Reader update prompt.
Fake update prompts remain effective because they exploit a familiar habit: users are used to software asking for updates. In a business environment, this is why users should be trained to update software only through approved tools, company portals, or built-in update mechanisms not prompts that appear unexpectedly in the browser or from downloaded files.
Anti-Analysis Behavior
Grandoreiro also includes checks designed to detect whether it is running in a research environment. These checks may look for virtual machines, debugging tools, analysis utilities, suspicious computer names, installed software, or security products.
This type of behavior helps the malware avoid detection by researchers and automated sandboxes. If the malware believes it is being analyzed, it may change behavior, exit, or delay execution.
For defenders, this is a reminder that relying only on sandbox detonation can miss threats. Endpoint telemetry, network visibility, user behavior analysis, and file execution context all matter no single detection layer is sufficient.
What Organizations Should Focus On
The most useful defensive takeaway is not memorizing every indicator. It is understanding the pattern.
Organizations should pay attention to phishing emails that lead to compressed downloads, especially when the downloaded archive contains a legitimate application paired with unusual DLL files. Security teams should also monitor for unexpected script execution, fake update behavior, suspicious child processes, and unusual network connections from desktop applications that normally should not communicate externally in that way.
Good controls include email filtering, endpoint detection, application control, script execution restrictions, least privilege, user awareness training, and monitoring for abnormal DLL loading behavior.
Why This Campaign Matters
Grandoreiro shows how modern financial malware continues to evolve. It does not rely on one trick. It combines phishing, legitimate software abuse, DLL side-loading, obfuscated scripts, fake update prompts, cloud-like traffic patterns, and anti-analysis checks.
That combination makes the campaign harder to detect with simple blocklists alone. Defenders should treat this as a behavior-driven threat: look for the infection chain, the execution patterns, and the abuse of trusted software rather than only looking for known malicious file hashes.
A campaign that has survived multiple law-enforcement actions and continued to adapt since 2016 deserves to be taken seriously. The technical sophistication may not be cutting-edge, but the operational persistence is.
Sources: - WatchGuard Grandoreiro Malware Campaign Targets Europe and Latin America