Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

Key Features of the Grandoreiro Attack

• Targeted Regions and Industries: Grandoreiro primarily targets organizations in Mexico and Spain across various industry verticals.
• Impersonation of Government Officials: The threat actors in this campaign disguise themselves as Mexican government officials.
• Advanced Evasion Techniques: The Grandoreiro Loader employs multiple anti-analysis techniques, including Captcha implementation, to evade sandbox detection.
• Check-In Request for Data Collection: The loader sends a check-in request with all necessary user, system, and campaign information.
• Binary Padding Technique: To evade sandboxes, the Grandoreiro binary uses padding by embedding multiple BMP images, inflating the file size to over 400 MB.
• Communication Pattern Similar to LatentBot: The 2022 Grandoreiro CnC communication pattern mirrors that of LatentBot, using an "ACTION=HELLO" beacon and ID-based communication.

Campaign Details

ThreatLabz analyzed multiple infection chains for this Grandoreiro campaign, which started in June 2022 and remains active. Based on their findings, analysts infer that the campaign is specifically targeting organizations in Spanish-speaking countries, particularly Mexico and Spain. The affected industries include:

• Chemicals Manufacturing
• Automotive
• Civil and Industrial Construction
• Machinery
• Logistics (Fleet Management Services)

Infection Chain Analysis

The infection chain used in this campaign follows a similar pattern to previous Grandoreiro attacks:

1. Spear-Phishing Email: Targeted spear-fishing Written in Spanish, targeting victims in Mexico and Spain.
2. Malicious Embedded Link: Clicking the link redirects the victim to a website that downloads a malicious ZIP archive.
3. ZIP Archive: Contains the Grandoreiro Loader module disguised with a PDF icon to lure victims into execution.
4. Execution of Payload: The loader downloads, extracts, and executes the final 400MB Grandoreiro payload from a remote HFS server.
5. C2 Communication: The malware communicates with the command-and-control (C2) server using a pattern identical to LatentBot.

Phishing Techniques Used

Impersonating Government Officials – Provisional Archiving Resolution

The initial phishing emails observed in this campaign impersonated government officials, instructing victims to download and share the Provisional Archiving Resolution.

Cancellation of Mortgage Loan and Deposit Voucher Slip

Two types of phishing email lures were identified:

1. Mortgage Loan Cancellation Scam: Victims were asked to download a cancellation form via an embedded link.
2. Deposit Voucher Scam: Clicking the link downloads a ZIP file named "informacion16280LIFSD.zip" from a remote server.

ZIP Archive Contents:

• A31136.xml
• infonpeuz52271VVCYX.exe (Grandoreiro Loader module written in Delphi, disguised with a PDF icon)

Grandoreiro's Anti-Analysis and Evasion Techniques

The malware employs several anti-analysis and anti-debugging methods to evade detection:

Analysis Tool Detection

• XOR-Based Decryption Routine: Used to decrypt tool names.
• Process List Examination: Uses CreateToolhelp32Snapshot() to detect analysis tools and terminates execution if found.

Execution Directory Check

• Terminates if executed from directories like:
  • C:\insidetm
  • C:\analysis

Anti-Debugging Mechanisms

• Executes IsDebuggerPresent() to check if it's running inside a debugger. If true, execution is terminated.

VMware Detection

• Reads data from the I/O Port "0x5658h" (VX) to determine if it is running in a virtual machine.

Grandoreiro Loader's Communication and Payload Execution

1. Initial GET Request: Sent to a previously decrypted URL (http[:]//15[.]188[.]63[.]127/$TIME).
2. Payload Download: Uses URLDownloadToFile() to retrieve the final payload from http://15[.]188[.]63[.]127:36992/zxeTYhO.xml.
3. Extraction and Execution:The downloaded 9MB ZIP archive is extracted. The bundled executable (disguised as zxeTYhO.png) is renamed dynamically within the C:\ProgramData directory. The PE file is renamed to ASUSTek[random_string].exe to evade detection.
4. Final Payload Characteristics: Written in Delphi. 414MB Portable Executable file. Masquerades as a .png file before renaming to .exe. Digitally signed with an "ASUSTEK DRIVER ASSISTANTE" certificate to appear legitimate.

Conclusion

Grandoreiro continues to evolve with advanced evasion techniques and targeted spear-phishing campaigns. By impersonating government officials and using sophisticated anti-analysis methods, this banking trojan remains a significant threat to organizations in Mexico and Spain. Security teams must implement robust email security measures, monitor for unusual C2 traffic, and utilize behavioral analysis tools to detect and prevent infection.