Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – The infection chain begins with spear-phishing emails in Spanish that lure victims to download the loader. “The infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro campaigns. It begins with a spear-phishing email written in Spanish, targeting victims in Mexico and Spain.”
• [T1204] User Execution – Users click embedded links that download and execute the Grandoreiro Loader and final payload. “The infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro campaigns. It begins with a spear-phishing email … which would download the Grandoreiro Loader.”
• [T1140] Deobfuscate/Decode Files or Information – The loader performs XOR-based string decryption to reveal URLs and parameters. “This string decryption routine has been used previously in the older variants of Grandoreiro for decrypting strings and API calls…”
• [T1082] System Information Discovery – The loader collects system and user information (username, computer name, OS/version) prior to C2 communication. “The following System and User information … retrieves Username, ComputerName, Operating System and Version.”
• [T1057] Process Discovery – Anti-analysis checks include enumerating running processes to detect analysis tools (e.g., Regmon.exe, Procmon.exe). “The malware detects the below mentioned analysis tools by decrypting the tool names using a XOR-based Decryption routine. It then takes a snapshot of currently executing processes…”
• [T1071.001] Application Layer Protocol: Web Protocols – C2 traffic and beacon pattern (ACTION=HELLO) resemble LatentBot with ID-based communication. “The Grandoreiro Loader then sends across a GET/POST to the decrypted URL … and uses the ‘ACTION=HELLO’ beacon and ID-based communication.”
• [T1547.001] Boot or Logon Autostart Execution – The final payload persists via Run Registry startup entries. “The final payload maintains persistence on the Machine by leveraging the Run Registry key…”
• [T1116] Signed Binary Proxy Execution – The final payload is signed with a digital ASUSTek certificate to appear legitimate. “the final payload is signed with an ‘ASUSTek DRIVER ASSISTANTE’ digital certificate to appear legitimate…”
• [T1497] Virtualization/Sandbox Evasion – VM detection techniques (Vmware I/O port checks) are used to evade analysis. “Vmware I/O Port Anti-VM Technique: the malware checks whether execution occurs in a virtual environment by reading data from the I/O Port ‘0x5658h’ (VX)…”