Grinju Downloader
The Grinju Downloader is a peculiar Trojan that uses outdated Microsoft Excel features to hide its execution and leave the victim with the impression that they ran into some trouble while viewing a spreadsheet. Many malware families rely on 'Macro Scripts' embedded inside Microsoft Office files to aid their execution. Usually, the script in question is embedded inside the 'Macro' function of modern Microsoft Office variants, and many anti-malware products check this specific section for corrupted indicators. The Grinju Downloader, however, uses a different Microsoft Excel strategy. When a user opens the corrupted document, they will see the default sheet called 'sheet1,' which is accompanied by a second sheet called 'ij3Lv.' The latter appears to be empty, but this is not entirely true – its contents are found around Column 40 and Row 3887. Even if the user zooms out trying to look for any content, they are unlikely to spot anything.
The Grinju Downloader Uses a Peculiar Method to Execute a Corrupted Macro
But what does the mysterious 'ij3Lv' sheet contain? This is where the Grinju Downloader's macro resides in. Shortly explained, the macro is spread across several cells that will be executed in a specific order to achieve the final result, which is:
- Writes a VBS file to the hard drive.
- Writes a '.txt' file to the hard drive.
- Uses the text file's contents and then deletes it.
- Corrupts the compromised Microsoft Excel file, so it cannot be viewed again.
The last stage is a very interesting strategy since it ensures that the victim will not be able to submit the suspicious file for anti-malware analysis if they have already fallen victim to the attack.
So, what is the text file that the Grinju Downloader uses? It is a file whose contents are limited to just one character – '1.' The macro script found in the Excel sheet will write the text file's value to the Windows Registry and, in particular, in the section involving Microsoft Excel's security warnings. Setting up a specific registry key to '1' ensures that Microsoft Excel will run macros without any notification/confirmation, a major security concern.
Grinju Checks the Windows Architecture to Determine the Payload to Launch
Next, the Grinju Downloader executes a spreadsheet cell whose contents are meant to get the Windows environment and differentiate between 32-bit and 64-bit – depending on the architecture, it will choose the next cell to execute, ensuring that the correct payload will be delivered. This also allows the Grinju Downloader to easily avoid non-Windows systems.
Usually, Trojan Downloaders follow very similar strategies to do their job, but the Grinju Downloader author certainly brings some new and interesting strategies to the table. Although this malware has not been involved in large-scale campaigns yet, it is possible it may inspire other malware developers to come up with modified and more advanced versions of the Grinju Downloader. It is recommended to keep your system safe by using the protection services of an up-to-date anti-virus service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.