Dissecting the Grandoreiro/BTMOB Resurgence: IoCs & Detection Logic
Saw the report from WatchGuard and ESET regarding the resurgence of Grandoreiro and BTMOB. It looks like threat actors are heavily pivoting back to region-specific campaigns, hitting Spain, Portugal, Mexico, and Brazil.
Grandoreiro (Windows) has always been notorious for its modular architecture and sandbox evasion. The recent campaigns seem to be utilizing sophisticated phishing lures with VBA macros to drop the payload. If you're in SOCs in those regions, you'll want to hunt for suspicious parent-child processes, specifically Office apps spawning PowerShell.
Here is a basic KQL query to start hunting for the macro-dropper behavior commonly associated with this family:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ~("winword.exe", "excel.exe", "powerpnt.exe")
| where FileName in ~("powershell.exe", "cmd.exe", "mshta.exe")
| where ProcessCommandLine contains "EncodedCommand" or ProcessCommandLine contains "FromBase64String"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
On the mobile side, **BTMOB** (RAT) is targeting Android users in Brazil, likely via smishing or trojanized apps. It typically requests accessibility services to perform overlay attacks.
Has anyone started blocking the specific delivery domains associated with this wave? I'm curious if standard EDR heuristics are catching the obfuscated macro stages effectively, or if we're seeing a lot of initial bypasses.
We've intercepted a few of these in our spam filters. The macros are using a slightly modified base64 string obfuscation that slipped past our default AMSI rules initially. I updated our YARA rules to look for the specific XOR key they're using in this campaign.
For those hunting, check for the persistence mechanism in the Registry. Grandoreiro often adds a run key pointing to a binary in AppData.
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Where-Object { $_.PSObject.Properties.Value -match 'AppData' }
Good catch on the Android side. BTMOB is aggressive with the BIND_ACCESSIBILITY_SERVICE permission. As a pentester, I've seen this used to bypass 2FA by reading SMS codes or overlaying the banking app interface.
For mobile defense, ensure you have Google Play Protect enabled and strictly enforce 'Unknown Sources' policies. We recommend blocking APK downloads via corporate proxies unless absolutely necessary.
Great insights on the macros and mobile vectors. I've noticed the recent samples heavily rely on process hollowing using rundll32.exe to evade static analysis. For persistence, they often create hidden scheduled tasks.
If you're doing live response, check for suspicious child processes of rundll32.exe or explorer.exe with non-standard DLL loads. You can hunt for this using this KQL query in Sentinel:
Process
| where ProcessName in ("rundll32.exe", "explorer.exe")
| where isnotnull(ProcessCommandLine) and ProcessCommandLine contains ".dll"
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessFileName
Has anyone else observed the C2 communication shifting towards encrypted DNS to blend in?
Excellent analysis on the TTPs. To bridge the gap between the macro delivery and the hollowing execution, we started hunting for Office apps spawning rundll32.exe with specific arguments. Here is a quick KQL query we use in Sentinel to spot this behavior during the initial access phase:
DeviceProcessEvents
| where InitiatingProcessFileName in ("winword.exe", "excel.exe")
| where FileName == "rundll32.exe"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
Are you observing the C2 traffic sticking to standard ports or shifting to something more obscure in recent samples?
It's interesting timing. I've spotted listings for a "silent" Grandoreiro builder update on a major forum recently, which likely explains the evasion success. To complement the host-based hunting, you should monitor the network layer. The latest samples often reach out to C2 infrastructure on non-standard ports to bypass proxies. Here is a basic Sigma rule to catch those anomalies:
title: Grandoreiro Suspicious Outbound Connection
status: experimental
logsource:
product: windows
category: network_connection
detection:
selection:
Initiated: 'true'
DestinationPort|between: 1000-9000
condition: selection
Don't overlook the network layer. With the updated builder, changes in the DGA are likely. We’ve had success hunting for high entropy in DNS queries, specifically NXDOMAIN responses, which often flags the C2 infrastructure setup before connection.
For those on Sentinel/MDE, try this KQL query to spot anomalies:
kusto DeviceNetworkEvents
| where RemotePort == 53
| parse QueryName with Domain "." *
| extend entropy = entropy(Domain)
| where entropy > 3.5 and ResponseResultCode == 3 // NXDOMAIN
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access