Grinju Downloader
The Grinju Downloader, as its name suggests, is a downloader malware type. This means that its role in the attack chain is to act as a first-stage dropper responsible for delivering the actual payload after the targeted computer has already been compromised. This particular dropper displays some unique characteristics when it comes to anti-analysis and anti-detection measures.
At its core, the Grinju Downloader is a macro-based malware delivered through poisoned Excel files. Unlike other similar threats, however, there is no VBA code that can be analyzed as all of the code is contained in the spreadsheet itself spread across thousands of rows and numerous cells. To make this method work, the hackers exploited an old Excel functionality - the creation of a 'macro' sheet where macro functions could be added to the cells directly. Indeed, when the user opens that corrupted file, there will be two sheets present in it. The first one, which is presented to the user, is called 'Sheet1' and contains various data that is going to be used by the macro functions to perform the threatening agenda of the threat. The second sheet is the 'macro' one, and it contains all of the macro functions that have to be run in order. It is named 'ij3Lv.'
Unique Stealth and Anti-Analysis Techniques are Present in the Grinju Downloader
Opening the second sheet will initially present a blank cell screen, even if it is zoomed out completely. To find where the functions begin, users will have to scroll down to R3887C240 - row 3887, column 40. Among the various functions, a considerable amount is dedicated to hampering any infosec researchers' analysis attempts. The Grinju Downloader is capable of checking if a mouse is present, determining if the width and height of the work window exceed specific sizes, if the system is capable of playing sounds, and check if the macro is run in a single-step mode. All of these indicators could be potential signs that Grinju is being executed in a sandbox environment.
At a specific point during its operation, Grinju enters a loop that is based on an 'If' statement. During each cycle, the values are incremented by one, and if the condition returns as 'True,' Grinju proceeds to form the next group of instructions.
A particularly sinister technique performed by Grinju Downloader is the threat disabling the 'Enable Content' warning. The first stage in achieving this is the creations of a text file with a single character in it - '1,' which is dropped in the Temp folder. The meaning of this value becomes evident when observing the next function. It opens the Registry, navigates to the Excel Security Warnings hive, and writes into them the value one taken from the text file. This means that all macros from now on will be executed automatically, without any warning signs displayed to the user.
The Grinju Downloader performs a check for the environment it is running in, and if it detects anything other than Windows, it simply terminates its execution. It also determines if the Windows system has a 32-bit architecture or a 64-bit one, resulting in different codes being fetched from the macro excel sheet. The final step in the malware programming is to drop a scrip in the 'Local\Temp\Nvf.vbs' path responsible for the download and execution of the second-stage malware payload, which is delivered as a file named 'ZsQrgSU.html.'
The hackers behind the Grinju Downloader demonstrate that even somewhat old techniques could yield surprisingly efficient results.
