Trustwave SpiderLabs observed a Grandoreiro campaign targeting bank users in Brazil, Spain, and Mexico during tax season, delivered via Portuguese-language phishing emails that link to a malicious PDF. The campaign uses a multifaceted payload chain—including an MSI installer, DLL side-loading, a JScript downloader, binary padding, and a DGA-based C2 approach—to evade detection and persist on infected hosts. #Grandoreiro #TrustwaveSpiderLabs #DocuSign #Freedynamicdns #AdvancedInstaller #Bradesco #Santander
Keypoints
- Grandoreiro targets Brazil, Spain, and Mexico with tax-themed phishing emails that lead to a malicious PDF and MSI installer.
- The MSI package uses a CustomAction table (via Orca MSI Editor) to download and execute the final payload after location checks; DLLs are loaded through DLL side-loading.
- Binary padding and XOR-encrypted strings are used to evade detection and conceal target strings such as bank names and executable names.
- A Domain Generation Algorithm (DGA) and dynamic DNS are used for C2, with subdomains hosted by freedynamicdns.org and an external IP/C2 server.
- Persistence is achieved via the registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun).
- Grandoreiro enumerates host information, security software, and web browsers, and implements keylogging, clipboard capture, and browser cookie theft as part of its backdoor capabilities.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The email pretends to be a memo from “Serviço de Administração Fiscal” and includes a link that downloads a malicious PDF. ‘The email pretends to come from a government tax office and has a link that downloads a malicious PDF document hosted on a compromised website.’
- [T1059.005] Command and Scripting Interpreter: JScript – The JScript block serves as a downloader and performs host/IP checks before downloading/executing payload. ‘The block of the custom code written in JScript serves as a downloader of the final payload. The code will perform host and IP address location checks before it downloads, extracts, and executes the final payload.’
- [T1574.001] Hijack Execution Flow: DLL Side-Loading – The trojan uses DLL side-loading to conceal malicious action under a legitimate process. ‘The trojan sets up persistence using the registry run key… and uses the DLL side-loading technique to conceal malicious actions under a legitimate software process.’
- [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – Persistence via the Run key to execute at startup. ‘Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Value: …kitbootnetsuuui.exe’
- [T1518.001] Software Discovery – Discovery of installed security programs and web browsers. ‘It can enumerate installed security programs and web browsers.’
- [T1056.001] Input Capture: Keylogging – Backdoor capabilities include keylogging and monitoring browser activity. ‘Keylogging, monitoring users’ browsing activity, …’
- [T1115] Clipboard Data – Clipboard data capture as part of data theft. ‘…capture clipboards…’
- [T1555.003] Credentials from Web Browsers – Theft of cookies and other browser data via malicious extensions. ‘steal cookies and other user information using malicious browser extensions.’
- [T1583] Acquire Infrastructure – DGA-based domain generation and C2 infrastructure usage. ‘Domain Generation Algorithm (DGA) relies on the current date… The subdomain is prefixed to free Dynamic DNS providers… to serve as command-and-control infrastructure.’
Indicators of Compromise
- [URL] context – hxxp[://] Belfaro[.]com[.]br/admin/PROCESSO-02028[.]82655[.]2019[.]550[.]pdf, hxxps[://]belfaro[.]com[.]br/admin/nota[.]php?file=docprocesso27032022[.]zip
- [IP] context – 167[.]114[.]43[.]27:4433 (C2) and 167[.]114[.]88[.]99 (C2 IP Address)
- [Domain] context – iuc1[da-z]{11}.freedynamicdns.org (C2 DGA)
- [SHA1] context – 1e81d73ff946560692a01c38649227897339dd5a, ff908727cc1b5335e541fbcd80a327565f308bc7
- [File] context – docprocesso27032022i512l3j0i271l2.3130j0j15&sourceid=chrome&ie=UTF-8.msi (downloader), dbghelp.dll (Grandoreiro banking trojan)
- [File] context – kitbootnetsuuui.exe (Advanced Installer Intune Tool) with SHA1 5dd0b062dda3991c09e439f0688ba94004573d6e