![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/12\/Op-Saci-e1733328616580.png\")
<\/figure><\/div>\n\n\n\nOverview<\/strong><\/h1>\n\n\n\nThe following report aims to provide indicators of compromise, along with the technical tactics and procedures associated with a malware campaign named by SCILabs as Operation Saci<\/em>, which was identified during the second week of November 2024 through ongoing threat monitoring and hunting activities in Latin America.<\/p>\n\n\n\nAfter conducting an investigation, SCILabs observed that the Grandoreiro<\/em> and URSA\/Mispadu<\/em> malware families are being distributed through Operation Saci<\/em>. Given the impersonated institution (Citibanamex) and the impacted banks, it is highly likely that the installed banking Trojan is targeting Mexico.<\/p>\n\n\n\nOperation Saci<\/em>‘s distribution method is phishing emails, which may contain a hyperlink or an attached PDF file, using pretexts related to invoices, pending payment receipts, or payment vouchers. Its main objective is to distribute the Grandoreiro<\/em> and URSA\/Mispadu<\/em> malware families, which aim to steal banking information from users of different financial institutions through the overlapping of windows. In the case of some URSA\/Mispadu<\/em> installations, they may also steal browser history, Outlook credentials, and SMTP access.<\/p>\n\n\n\nIt is important to mention that, during this investigation, SCILabs found different overlaps between various aspects of the Grandoreiro<\/em> and URSA\/Mispadu<\/em> infection chain. First, the Grandoreiro<\/em> infection will be addressed broadly (as it represents the final stage in this specific campaign) before highlighting the similarities between both attack flows and describing them in detail.<\/p>\n\n\n\n<\/p>\n\n\n\n
How could it affect an organization?<\/strong><\/h1>\n\n\n\nThe malware families distributed by Operation Saci<\/em> can steal banking and confidential information (such as browsing history and Outlook credentials) from all types of users, including employees of public and private entities. If an attack is successful within the organization, cybercriminals may leak or sell the stolen information in clandestine Dark Web forums or black markets, compromising the confidentiality, integrity and availability of the data, and leading to potential financial and reputational losses for clients.<\/p>\n\n\n\n<\/p>\n\n\n\n
Analysis<\/strong><\/h1>\n\n\n\nGeneral context of the threat<\/h2>\n\n\n\n
During the second week of November 2024, through ongoing threat monitoring and hunting activities in Latin America, SCILabs identified an email containing an attached PDF file \u2014protected by a password included in the same email\u2014 named after the victim’s email address. The email uses the pretext an alleged payment receipt to impersonate Citibanamex. It was determined, with a high level of confidence that this specific campaign is targeted at Mexico.<\/p>\n\n\n\n
![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_1.png\")
<\/figure><\/div>\n\n\n\nFigure 1. Visual appearance of the attached PDF file<\/strong><\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_2.png\")
<\/figure><\/div>\n\n\n\nFigure 2. Phishing email visual appearance<\/strong><\/p>\n\n\n\nTechnical summary of Grandoreiro\u2019s<\/em> installation process<\/strong><\/h2>\n\n\n\nThe PDF file contains an embedded hyperlink. When the victims click on it, they are redirected to a site where a file named \u201c\u2749\ud835\udd38\ud835\udd63\ud835\udd54\ud835\udd59\ud835\udd5a\ud835\udd67\ud835\udd60\ud835\udd64\u2749_\u2460\u2460\u2468\u2463\u2460\u2460<\/strong>,\u201d in ZIP format is automatically downloaded. However, those numbers vary with each download.<\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_3-1024x527.png\")
<\/figure><\/div>\n\n\n\nFigure 3. Visual appearance of the automatic download site<\/strong><\/p>\n\n\n\nThe ZIP contains a file in HTA format (with the same name as the compressed file) which includes the instructions to download and execute a JavaScript script.<\/p>\n\n\n\n
![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_4-1024x152.png\")
<\/figure><\/div>\n\n\n\nFigure 4. Content of the compressed file<\/strong><\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_5-1024x171.png\")
<\/figure><\/div>\n\n\n\nFigure 5. Code fragment contained in the HTA file<\/strong><\/p>\n\n\n\nFurthermore, as an additional defense evasion mechanism, the malware displays an alleged password validator, typical of other malware families like URSA\/Mispadu<\/em>.<\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_6.png\")
<\/figure><\/div>\n\n\n\nFigure 6. Password validator used by Grandoreiro<\/em> in this campaign<\/strong><\/p>\n\n\n\nAfter the validation, the second stage of the infection begins. The script named 6725c86d7fa55.js<\/strong> is responsible for downloading an additional dropper in VBS format installed within the %PUBLIC%<\/em> directory.<\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_7-1024x90.png\")
<\/figure><\/div>\n\n\n\nFigure 7. Code fragment contained in the JavaScript file<\/strong><\/p>\n\n\n\nThis dropper performs the following tasks:<\/p>\n\n\n\n
- Code Formatting: formats a text string corresponding to PowerShell code.<\/li><\/ul>\n\n\n\n
- Download: this function downloads a second file in VBS format that works as a Grandoreiro<\/em> dropper and saves it within the %PUBLIC%<\/em> directory.<\/li><\/ul>\n\n\n\n
- Execution: executes the following Grandoreiro<\/em> dropper, which is also in VBS format.<\/li><\/ul>\n\n\n\n
![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_8-1024x109.png\")
<\/figure><\/div>\n\n\n\nFigure 8. Code fragment contained in the first VBS file<\/strong><\/p>\n\n\n\nThis second dropper performs the following tasks:<\/p>\n\n\n\n
- Download: opens the site hxxp[:]\/\/62[.]113[.]116[.]63\/mx01\/cancun01[.]zip<\/strong> and downloads a compressed file in ZIP format named \u201ccancun01\u201d.<\/li><\/ul>\n\n\n\n
- Execution: searches for executable files (with EXE extension) within the compressed file; if it finds any, it automatically runs it.<\/li><\/ul>\n\n\n\n
Information registration: obtains the name of the infected computer and through a GET request with the form hxxp[:]\/\/62[.]113[.]116[.]63\/conta[.]mx\/index[.]php?nomepc=[equipo_name]<\/strong> shares it with its command server and control.<\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_9-1024x103.png\")
<\/figure><\/div>\n\n\n\nFigure 9. Code fragment contained in the second VBS file<\/strong><\/p>\n\n\n\nSCILabs identified that the compressed name cancun01.zip contains four files, which were observed in a campaign documented by SCILabs in July of this year and are described below:<\/p>\n\n\n\n
- CSRPS.exe<\/strong>: this is a legitimate file that belongs to an application called Beyond Compare11.<\/li><\/ul>\n\n\n\n
- CSRPS.dll<\/strong> and unrar.dll<\/strong>: these are two legitimate libraries necessary to execute “CSRPS.exe.”<\/li><\/ul>\n\n\n\n
- 7zxa.dll<\/strong>: corresponds to the malicious library, which uses the Grandoreiro<\/em>‘s technique of increasing its size to make it challenging for security tools to analyze static and dynamic data. In this case, it weighs almost 2GB.<\/li><\/ul>\n\n\n\n
It is worth mentioning that these artifacts are unzipped to a randomly named folder in the root of C:\\ composed of <one number><one capital letter><three lowercase letters><three numbers><\/p>\n\n\n\n
The DLL 7zxa.dll is loaded into memory by the CSRPS.exe executable using the DLL Hijacking<\/a> technique. In this case, the technique exploits the CVE-2024-7886<\/a><\/strong> vulnerability by replacing the original library with a malicious one crafted by the attacker.<\/p>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_10.png\")
<\/figure><\/div>\n\n\n\nFigure 10. Evidence of the existence of the DLL Hijacking vulnerability<\/strong><\/p>\n\n\n\nDuring the dynamic analysis of the artifacts, the SCILabs team identified that the malware records the computer’s infection in a log that contains the victim’s IP address and the names of the files that were downloaded.<\/p>\n\n\n\n
![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_11-1024x235.png\")
<\/figure><\/div>\n\n\n\nFigure 11. Fragment of victim registration log<\/strong><\/p>\n\n\n\nFurthermore, within the text strings of the process deployed by the malware, some of the target banks (all of them from Mexico) could be observed.<\/p>\n\n\n\n
After conducting an investigation, SCILabs observed that the Grandoreiro<\/em> and URSA\/Mispadu<\/em> malware families are being distributed through Operation Saci<\/em>. Given the impersonated institution (Citibanamex) and the impacted banks, it is highly likely that the installed banking Trojan is targeting Mexico.<\/p>\n\n\n\n Operation Saci<\/em>‘s distribution method is phishing emails, which may contain a hyperlink or an attached PDF file, using pretexts related to invoices, pending payment receipts, or payment vouchers. Its main objective is to distribute the Grandoreiro<\/em> and URSA\/Mispadu<\/em> malware families, which aim to steal banking information from users of different financial institutions through the overlapping of windows. In the case of some URSA\/Mispadu<\/em> installations, they may also steal browser history, Outlook credentials, and SMTP access.<\/p>\n\n\n\n It is important to mention that, during this investigation, SCILabs found different overlaps between various aspects of the Grandoreiro<\/em> and URSA\/Mispadu<\/em> infection chain. First, the Grandoreiro<\/em> infection will be addressed broadly (as it represents the final stage in this specific campaign) before highlighting the similarities between both attack flows and describing them in detail.<\/p>\n\n\n\n <\/p>\n\n\n\n The malware families distributed by Operation Saci<\/em> can steal banking and confidential information (such as browsing history and Outlook credentials) from all types of users, including employees of public and private entities. If an attack is successful within the organization, cybercriminals may leak or sell the stolen information in clandestine Dark Web forums or black markets, compromising the confidentiality, integrity and availability of the data, and leading to potential financial and reputational losses for clients.<\/p>\n\n\n\n <\/p>\n\n\n\n During the second week of November 2024, through ongoing threat monitoring and hunting activities in Latin America, SCILabs identified an email containing an attached PDF file \u2014protected by a password included in the same email\u2014 named after the victim’s email address. The email uses the pretext an alleged payment receipt to impersonate Citibanamex. It was determined, with a high level of confidence that this specific campaign is targeted at Mexico.<\/p>\n\n\n\n Figure 1. Visual appearance of the attached PDF file<\/strong><\/p>\n\n\n\n Figure 2. Phishing email visual appearance<\/strong><\/p>\n\n\n\n The PDF file contains an embedded hyperlink. When the victims click on it, they are redirected to a site where a file named \u201c\u2749\ud835\udd38\ud835\udd63\ud835\udd54\ud835\udd59\ud835\udd5a\ud835\udd67\ud835\udd60\ud835\udd64\u2749_\u2460\u2460\u2468\u2463\u2460\u2460<\/strong>,\u201d in ZIP format is automatically downloaded. However, those numbers vary with each download.<\/p>\n\n\n\n Figure 3. Visual appearance of the automatic download site<\/strong><\/p>\n\n\n\n The ZIP contains a file in HTA format (with the same name as the compressed file) which includes the instructions to download and execute a JavaScript script.<\/p>\n\n\n\n Figure 4. Content of the compressed file<\/strong><\/p>\n\n\n\n Figure 5. Code fragment contained in the HTA file<\/strong><\/p>\n\n\n\n Furthermore, as an additional defense evasion mechanism, the malware displays an alleged password validator, typical of other malware families like URSA\/Mispadu<\/em>.<\/p>\n\n\n\n Figure 6. Password validator used by Grandoreiro<\/em> in this campaign<\/strong><\/p>\n\n\n\n After the validation, the second stage of the infection begins. The script named 6725c86d7fa55.js<\/strong> is responsible for downloading an additional dropper in VBS format installed within the %PUBLIC%<\/em> directory.<\/p>\n\n\n\n Figure 7. Code fragment contained in the JavaScript file<\/strong><\/p>\n\n\n\n This dropper performs the following tasks:<\/p>\n\n\n\n Figure 8. Code fragment contained in the first VBS file<\/strong><\/p>\n\n\n\n This second dropper performs the following tasks:<\/p>\n\n\n\n Information registration: obtains the name of the infected computer and through a GET request with the form hxxp[:]\/\/62[.]113[.]116[.]63\/conta[.]mx\/index[.]php?nomepc=[equipo_name]<\/strong> shares it with its command server and control.<\/p>\n\n\n\n Figure 9. Code fragment contained in the second VBS file<\/strong><\/p>\n\n\n\n SCILabs identified that the compressed name cancun01.zip contains four files, which were observed in a campaign documented by SCILabs in July of this year and are described below:<\/p>\n\n\n\n It is worth mentioning that these artifacts are unzipped to a randomly named folder in the root of C:\\ composed of <one number><one capital letter><three lowercase letters><three numbers><\/p>\n\n\n\n The DLL 7zxa.dll is loaded into memory by the CSRPS.exe executable using the DLL Hijacking<\/a> technique. In this case, the technique exploits the CVE-2024-7886<\/a><\/strong> vulnerability by replacing the original library with a malicious one crafted by the attacker.<\/p>\n\n\n\n Figure 10. Evidence of the existence of the DLL Hijacking vulnerability<\/strong><\/p>\n\n\n\n During the dynamic analysis of the artifacts, the SCILabs team identified that the malware records the computer’s infection in a log that contains the victim’s IP address and the names of the files that were downloaded.<\/p>\n\n\n\n Figure 11. Fragment of victim registration log<\/strong><\/p>\n\n\n\n Furthermore, within the text strings of the process deployed by the malware, some of the target banks (all of them from Mexico) could be observed.<\/p>\n\n\n\nHow could it affect an organization?<\/strong><\/h1>\n\n\n\n
Analysis<\/strong><\/h1>\n\n\n\n
General context of the threat<\/h2>\n\n\n\n
<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\nTechnical summary of Grandoreiro\u2019s<\/em> installation process<\/strong><\/h2>\n\n\n\n
<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n<\/figure><\/div>\n\n\n\n
![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_12_en-1024x677.png\")
<\/figure>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_13_en-1024x923.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/2\/2024\/12\/figura_14_en-1024x772.jpg\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_15_en-1024x345.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_16_en-1024x271.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_17_en-1024x567.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_18_en-1024x288.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_19_en-1024x429.png\")
<\/figure>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_20_en-1024x487.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_21_en-1024x302.png\")
<\/figure><\/div>\n\n\n\n![\"Figure](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/11\/figura_22_en-1024x506.png\")
<\/figure><\/div>\n\n\n\n