IOC Rule: Banking Trojan Grandoreiro

A recently published article “SIGMA vs Indicators of Compromise” by Adam Swan, our Senior Threat Hunting Engineer demonstrates the benefits of threat hunting Sigma rules over IOCs-based content. Although we can’t brush off IOC Sigma rules, since they can help identify a fact of compromise, in addition, not all adversaries quickly make changes to their malware, and therefore such rules can detect a threat for a long time. Today we look at one of these rules – Banking Trojan Grandoreiro by Emir Erdogan: https://tdm.socprime.com/tdm/info/oNvknYovxCIF/CglI33EBAq_xcQY4Rvvc/?p=1

Grandoreiro is one of many banking trojans used against targets in Latin America. The first mention of this malware appeared in 2017 when attackers distributed it only in Peru and Brazil, but soon cybercriminals expanded the geography of attacks, adding Spain and Mexico to the list of targets. Grandoreiro trojan is distributed via spam emails containing a link to a website offering fake Java or Flash updates. Since the beginning of the pandemic, attackers have been actively using the fear around COVID-19 in their campaigns.

 

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Execution, Privilege Escalation, Defense Evasion, Persistence

Techniques: Execution through Module Load (T1129), Process Injection (T1055), Registry Run Keys / Startup Folder (T1060)

 

Trojan misuses MsiExec.exe and we offer several rules for detecting such behavior:

Suspicious MsiExec Directory by Florian Roth – https://tdm.socprime.com/tdm/info/sPtJr5zlR7VX/4MWfiW4BUORkfSQhFWEb/

MsiExec Web Install by Florian Roth – https://tdm.socprime.com/tdm/info/T5M5JJ1YfyiQ/H8JNRW4BEiSx7l0HQ_Nn/

LOLBAS msiexec (via cmdline) by Steven Carter – https://tdm.socprime.com/tdm/info/dmhwrenaVeXE/xcWI1W4BUORkfSQhaZkh/

Msiexec.exe and Mavinject.exe Bypass (LolBins) by Ariel Millahuel – https://tdm.socprime.com/tdm/info/ZcbZs2X4rVua/oUJjp24ByU4WBiCt_kFv/

Msiexec manipulation to establish communication with a c2 server by Ariel Millahuel – https://tdm.socprime.com/tdm/info/89tMxuOXpDmC/_cp_C3ABTfY1LRoXM8hW/