Key Features of this Attack:
Grandoreiro targets organizations in the Spanish-speaking nations of Mexico and Spain across various industry verticals
The threat actors in this campaign impersonate Mexican Government Officials
Multiple anti-analysis techniques are used by Grandoreiro Loader along with implementation of Captcha for evading Sandboxes
The Grandoreiro Loader sends across a Check-In Request with all the required User, System and Campaign information
The Grandoreiro uses a binary padding technique to evade sandboxes, adding multiple BMP images to the resource section of the binary and inflating the size to 400+ MB
The CnC Communication pattern of 2022 Grandoreiro is now completely identical to the LatentBot with “ACTION=HELLO” beacon and ID based communication
In-depth analysis of the Grandoreiro campaign and corresponding Infection chain has been explained below.
Campaign Details:
ThreatLabz has analyzed multiple infection chains for this Grandoreiro campaign, which began in June 2022 and is still ongoing. Based on analicits, Analysts can infer that the threat actors in this case are attempting to target organizations in the Spanish-speaking countries of Mexico and Spain. Industries targeted in this campaign include:
Chemicals Manufacturing
Automotive
Civil and Industrial Construction
Machinery
Logistics – Fleet management services
Infection Chain:
The infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro campaigns.
It begins with a spear-phishing email written in Spanish, targeting victims in Mexico and Spain.
The email consists of an embedded link which when clicked redirects the victim to a website that further downloads a malicious ZIP archive on the victim’s machine.
The ZIP archive is bundled with the Grandoreiro Loader module with a PDF Icon in order to lure the victim into execution; this is responsible for downloading, extracting and executing the final 400MB “Grandoreiro” payload from a Remote HFS server which further communicates with the CnC Server using traffic identical to LatentBot.
Impersonating Government Officials – Provisional Archiving Resolution:
The first set of phishing emails observed during the campaign were those in which the threat actors impersonated Government officials, instructing the victims to download and share the Provisional Archiving Resolution.
Cancellation of Mortgage Loan and Deposit Voucher Slip
In this set, there are two types of phishing email lures. The first is regarding the cancellation of a mortgage loan, in which the threat actors ask the victim to download a mortgage cancellation form by opening the embedded link.
Next, the ZIP File named “informacion16280LIFSD.zip” which is downloaded from the following remote server 35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012 once the victim clicks on the embedded link in the Spear phishing email.
The ZIP archive bundles two files:
A31136.xml
infonpeuz52271VVCYX.exe
The second file bundled inside the ZIP archive “infonpeuz52271VVCYX.exe” is the Grandoreiro Loader module written in Delphi and masking itself with a PDF Icon compiled on 14th June 2022 in order to lure the victims into execution.
The malware detects the analysis tools by decrypting the tool names using a XOR-based Decryption routine.
It then takes a snapshot of currently executing processes in the system using CreateToolhelp32Snapshot() and walks through the process list using Process32First() and Process32Next(). If any of the analysis tools exist, the malware execution is terminated.
Detect Execution Directory: In this case, the malware checks the directory in which it is being executed.
If the below mentioned directory names are used, it terminates itself with a comparison logic in place.
C:insidetm
C:analysis
Anti-Debug Technique: In this case, the Grandoreiro executes the IsDebuggerPresent() to determine whether the current process is being executed in the context of a debugger. If the result is non-zero, the malware terminates itself.
Vmware I/O Port Anti-VM Technique: In this case, the malware checks whether the execution is occurring in a virtual environment (Vmware) by reading data from the I/O Port “0x5658h” (VX) used by Vmware.
The Grandoreiro Loader then sends across a GET Request to the previously decrypted URL: “http[:]//15[.]188[.]63[.]127/$TIME” which provides in response the URL to download the next stage
Next, the malware executes the URLDownloadToFile() API function with the szURL argument as the remote HFS server URL “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” in order to download the Final Payload of the Grandoreiro.
The downloaded Grandoreiro Final Payload is a 9MB ZIP archive that is extracted dynamically, and the bundled executable (disguised as zxeTYhO.png) inside the archive is written in a folder whose name is generated at runtime in the “C:ProgramData” directory. Also the PE file masquerading as “zxeTYhO.png” is renamed to ASUSTek[random_string].exe, generated with a random string generation logic, and changes every time it is executed.
The Grandoreiro Final Payload written in Delphi was downloaded previously from the remote HFS server “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” as a 9.2 MB ZIP file which is then extracted and executed by the Grandoreiro Loader. The extracted file is a 414MB Portable Executable file disguised with a “.png” extension which is later renamed to “.exe” dynamically by the loader and also the final payload is signed with an “ASUSTEK DRIVER ASSISTANTE” digital certificate to appear legitimate and evade detection.
As seen in the older Grandoreiro samples, a similar “Binary Padding” technique is used here in order to inflate the file size of the binary to around 400MB by adding two ~200MB Bitmap images in the resource section.