Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

Key Features of this Attack:

Grandoreiro targets organizations in the Spanish-speaking nations of Mexico and Spain across various industry verticals
The threat actors in this campaign impersonate Mexican Government Officials
Multiple anti-analysis techniques are used by Grandoreiro Loader along with implementation of Captcha for evading Sandboxes
The Grandoreiro Loader sends across a Check-In Request with all the required User, System and Campaign information
The Grandoreiro uses a binary padding technique to evade sandboxes, adding multiple BMP images to the resource section of the binary and inflating the size to 400+ MB
The CnC Communication pattern of 2022 Grandoreiro is now completely identical to the LatentBot with “ACTION=HELLO” beacon and ID based communication
In-depth analysis of the Grandoreiro campaign and corresponding Infection chain has been explained below.

Campaign Details:

ThreatLabz has analyzed multiple infection chains for this Grandoreiro campaign, which began in June 2022 and is still ongoing. Based on analicits, Analysts can infer that the threat actors in this case are attempting to target organizations in the Spanish-speaking countries of Mexico and Spain. Industries targeted in this campaign include:

Chemicals Manufacturing
Automotive
Civil and Industrial Construction
Machinery
Logistics – Fleet management services

Infection Chain:

The infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro campaigns.
It begins with a spear-phishing email written in Spanish, targeting victims in Mexico and Spain.
The email consists of an embedded link which when clicked redirects the victim to a website that further downloads a malicious ZIP archive on the victim’s machine.
The ZIP archive is bundled with the Grandoreiro Loader module with a PDF Icon in order to lure the victim into execution; this is responsible for downloading, extracting and executing the final 400MB “Grandoreiro” payload from a Remote HFS server which further communicates with the CnC Server using traffic identical to LatentBot.

Impersonating Government Officials – Provisional Archiving Resolution:
The first set of phishing emails observed during the campaign were those in which the threat actors impersonated Government officials, instructing the victims to download and share the Provisional Archiving Resolution.

Cancellation of Mortgage Loan and Deposit Voucher Slip
In this set, there are two types of phishing email lures. The first is regarding the cancellation of a mortgage loan, in which the threat actors ask the victim to download a mortgage cancellation form by opening the embedded link.

Next, the ZIP File named “informacion16280LIFSD.zip” which is downloaded from the following remote server 35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012 once the victim clicks on the embedded link in the Spear phishing email.

The ZIP archive bundles two files:

A31136.xml
infonpeuz52271VVCYX.exe

The second file bundled inside the ZIP archive “infonpeuz52271VVCYX.exe” is the Grandoreiro Loader module written in Delphi and masking itself with a PDF Icon compiled on 14th June 2022 in order to lure the victims into execution.
The malware detects the analysis tools by decrypting the tool names using a XOR-based Decryption routine.
It then takes a snapshot of currently executing processes in the system using CreateToolhelp32Snapshot() and walks through the process list using Process32First() and Process32Next(). If any of the analysis tools exist, the malware execution is terminated.
Detect Execution Directory: In this case, the malware checks the directory in which it is being executed.
If the below mentioned directory names are used, it terminates itself with a comparison logic in place.

C:insidetm
C:analysis

Anti-Debug Technique: In this case, the Grandoreiro executes the IsDebuggerPresent() to determine whether the current process is being executed in the context of a debugger. If the result is non-zero, the malware terminates itself.

Vmware I/O Port Anti-VM Technique: In this case, the malware checks whether the execution is occurring in a virtual environment (Vmware) by reading data from the I/O Port “0x5658h” (VX) used by Vmware.

The Grandoreiro Loader then sends across a GET Request to the previously decrypted URL: “http[:]//15[.]188[.]63[.]127/$TIME” which provides in response the URL to download the next stage

Next, the malware executes the URLDownloadToFile() API function with the szURL argument as the remote HFS server URL “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” in order to download the Final Payload of the Grandoreiro.
The downloaded Grandoreiro Final Payload is a 9MB ZIP archive that is extracted dynamically, and the bundled executable (disguised as zxeTYhO.png) inside the archive is written in a folder whose name is generated at runtime in the “C:ProgramData” directory. Also the PE file masquerading as “zxeTYhO.png” is renamed to ASUSTek[random_string].exe, generated with a random string generation logic, and changes every time it is executed.

The Grandoreiro Final Payload written in Delphi was downloaded previously from the remote HFS server “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” as a 9.2 MB ZIP file which is then extracted and executed by the Grandoreiro Loader. The extracted file is a 414MB Portable Executable file disguised with a “.png” extension which is later renamed to “.exe” dynamically by the loader and also the final payload is signed with an “ASUSTEK DRIVER ASSISTANTE” digital certificate to appear legitimate and evade detection.

As seen in the older Grandoreiro samples, a similar “Binary Padding” technique is used here in order to inflate the file size of the binary to around 400MB by adding two ~200MB Bitmap images in the resource section.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...

Threats Icon

Aug 31, 2022

ModernLoader delivers multiple stealers cryptominers and RATs

Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering...