Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

Key Features of this Attack:

Grandoreiro targets organizations in the Spanish-speaking nations of Mexico and Spain across various industry verticals
The threat actors in this campaign impersonate Mexican Government Officials
Multiple anti-analysis techniques are used by Grandoreiro Loader along with implementation of Captcha for evading Sandboxes
The Grandoreiro Loader sends across a Check-In Request with all the required User, System and Campaign information
The Grandoreiro uses a binary padding technique to evade sandboxes, adding multiple BMP images to the resource section of the binary and inflating the size to 400+ MB
The CnC Communication pattern of 2022 Grandoreiro is now completely identical to the LatentBot with “ACTION=HELLO” beacon and ID based communication
In-depth analysis of the Grandoreiro campaign and corresponding Infection chain has been explained below.

Campaign Details:

ThreatLabz has analyzed multiple infection chains for this Grandoreiro campaign, which began in June 2022 and is still ongoing. Based on analicits, Analysts can infer that the threat actors in this case are attempting to target organizations in the Spanish-speaking countries of Mexico and Spain. Industries targeted in this campaign include:

Chemicals Manufacturing
Automotive
Civil and Industrial Construction
Machinery
Logistics – Fleet management services

Infection Chain:

The infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro campaigns.
It begins with a spear-phishing email written in Spanish, targeting victims in Mexico and Spain.
The email consists of an embedded link which when clicked redirects the victim to a website that further downloads a malicious ZIP archive on the victim’s machine.
The ZIP archive is bundled with the Grandoreiro Loader module with a PDF Icon in order to lure the victim into execution; this is responsible for downloading, extracting and executing the final 400MB “Grandoreiro” payload from a Remote HFS server which further communicates with the CnC Server using traffic identical to LatentBot.

Impersonating Government Officials – Provisional Archiving Resolution:
The first set of phishing emails observed during the campaign were those in which the threat actors impersonated Government officials, instructing the victims to download and share the Provisional Archiving Resolution.

Cancellation of Mortgage Loan and Deposit Voucher Slip
In this set, there are two types of phishing email lures. The first is regarding the cancellation of a mortgage loan, in which the threat actors ask the victim to download a mortgage cancellation form by opening the embedded link.

Next, the ZIP File named “informacion16280LIFSD.zip” which is downloaded from the following remote server 35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012 once the victim clicks on the embedded link in the Spear phishing email.

The ZIP archive bundles two files:

A31136.xml
infonpeuz52271VVCYX.exe

The second file bundled inside the ZIP archive “infonpeuz52271VVCYX.exe” is the Grandoreiro Loader module written in Delphi and masking itself with a PDF Icon compiled on 14th June 2022 in order to lure the victims into execution.
The malware detects the analysis tools by decrypting the tool names using a XOR-based Decryption routine.
It then takes a snapshot of currently executing processes in the system using CreateToolhelp32Snapshot() and walks through the process list using Process32First() and Process32Next(). If any of the analysis tools exist, the malware execution is terminated.
Detect Execution Directory: In this case, the malware checks the directory in which it is being executed.
If the below mentioned directory names are used, it terminates itself with a comparison logic in place.

C:insidetm
C:analysis

Anti-Debug Technique: In this case, the Grandoreiro executes the IsDebuggerPresent() to determine whether the current process is being executed in the context of a debugger. If the result is non-zero, the malware terminates itself.

Vmware I/O Port Anti-VM Technique: In this case, the malware checks whether the execution is occurring in a virtual environment (Vmware) by reading data from the I/O Port “0x5658h” (VX) used by Vmware.

The Grandoreiro Loader then sends across a GET Request to the previously decrypted URL: “http[:]//15[.]188[.]63[.]127/$TIME” which provides in response the URL to download the next stage

Next, the malware executes the URLDownloadToFile() API function with the szURL argument as the remote HFS server URL “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” in order to download the Final Payload of the Grandoreiro.
The downloaded Grandoreiro Final Payload is a 9MB ZIP archive that is extracted dynamically, and the bundled executable (disguised as zxeTYhO.png) inside the archive is written in a folder whose name is generated at runtime in the “C:ProgramData” directory. Also the PE file masquerading as “zxeTYhO.png” is renamed to ASUSTek[random_string].exe, generated with a random string generation logic, and changes every time it is executed.

The Grandoreiro Final Payload written in Delphi was downloaded previously from the remote HFS server “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” as a 9.2 MB ZIP file which is then extracted and executed by the Grandoreiro Loader. The extracted file is a 414MB Portable Executable file disguised with a “.png” extension which is later renamed to “.exe” dynamically by the loader and also the final payload is signed with an “ASUSTEK DRIVER ASSISTANTE” digital certificate to appear legitimate and evade detection.

As seen in the older Grandoreiro samples, a similar “Binary Padding” technique is used here in order to inflate the file size of the binary to around 400MB by adding two ~200MB Bitmap images in the resource section.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...