Kiron: Rust Adoption and Browser Extensions

Community Identifiers: Grandoreiro
Type: Banking Trojan and Information Stealer

July 2024: NestoLoader Integration

Kiron was distributed via NestoLoader, which is a loader written in JPHP — a PHP implementation that runs in the Java virtual machine (VM). JPHP is not commonly used to develop eCrime malware because of the language’s recent introduction and limited feature set, and it was likely used to hinder analysis efforts and evade detection.

NestoLoader samples used to deliver Kiron were configured to communicate with the command-and-control (C2) server massgrave[.]site. Public telemetry reveals that NestoLoader deployed Kiron’s widely used Delphi downloader, which retrieved its payload from http[:]//108.165.96[.]26:8080/19b[.]zip. This Delphi downloader has been a staple for Kiron operators since 2019, with variants employed across multiple campaigns.

August 2024: Rust-Based Downloader

In early August 2024, Kiron operators transitioned from using Delphi-based downloaders to a Rust-based alternative, which distributed via NestoLoader samples configured to communicate with the C2 domain massgrave[.]site. In this updated delivery chain, the NestoLoader C2 provided a JSON response containing a Base64-encoded legitimate executable and dynamic-link library (DLL).

To execute the Rust-based downloader DLL, NestoLoader uses search-order hijacking with the legitimate executable. This new Rust-based downloader was exclusively used to deliver Kiron.

The downloader retrieved the next-stage component from http[:]//192.101.68[.]150/bb08[.]zip, which hosted an AES-encrypted ZIP file. Decryption relied on a hardcoded key (00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f) and initialization vector (1a 2b 3c 4d 5e 6f 00 11 22 33 44 55 66 77 88 99) using AES in CBC mode, which was consistent across all analyzed samples.

This ZIP file contained a Kiron core component configured with the prefix pkc, highly likely identifying a specific malware operator targeting customers of Brazilian and Mexican FIs. Kiron’s developers leveraged a custom domain generation algorithm (DGA) that combined the prefix with the current date to calculate its C2 server domain.

Malware Operators

Analysis of Kiron samples from this activity reveals the use of two distinct string prefixes: z and pkc. The z prefix has been associated with Kiron operators since early 2024, while samples using the pkc prefix were observed between August and October 2024.

Kiron builds with the pkc prefix exclusively target customers of FIs in Brazil and Mexico, whereas builds with the z prefix have a broader geographic focus. These samples target FIs in Chile, Peru, Ecuador, Argentina, Brazil, Costa Rica, Mexico, the U.K., Germany, Portugal and Spain. The specific targets are explicitly defined in Kiron’s hardcoded strings.

Overlap with SAMBA SPIDER

In late September 2024, Kiron operators began distributing the malware using a fourth-stage infection chain that closely mirrored SAMBA SPIDER’s June 2024 TTPs. This overlap suggests either the same actor was responsible for both activities or Kiron operators leveraged SAMBA SPIDER’s tooling to replicate Mispadu’s infection chain. This assessment is made with moderate confidence, based on similarities in first-stage components and filename patterns.

Kiron operators used HTA file naming conventions such as ❉VER CUENTA❉_, ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤❉_, and ❉processo❉_, which align closely with SAMBA SPIDER’s Mispadu naming scheme of ❉<STRING_IN_SPANISH>❉_<RANDOM_CHARACTERS>.hta. These shared patterns further underline the connection between the two sets of activities.

October 2024: Stealer Enhancement 

In mid-October 2024, a Kiron core component update introduced new stealer features aimed at gathering user data. This update included:

  • A browser-history grabber, derived from NirSoft’s web browser history tool, to collect users’ navigation data.
  • A Chromium-based browser-stealer extension designed to exfiltrate user cookies and email addresses.

Both components were embedded in the Portable Executable (PE) .rsrc section as encrypted ZIP files. To decrypt these archives, the malware utilized Kiron’s custom algorithm with the XOR key 0x8EF6 — a method consistent with the algorithm used by Kiron’s Delphi downloader for decrypting final-stage ZIP files.

Updated Obfuscation Techniques

Kiron core component samples from October 2024 introduced a new Base64-based obfuscation layer for string encryption while retaining the previously established XOR-based algorithm. This hybrid approach underscores the developers’ ongoing efforts to complicate detection and analysis.

Browser-Stealer Extension Features

The browser-stealer extension comprises two JS files with distinct functionalities:

  • content.js: Scans the current visited webpage’s body for email addresses and forwards any identified addresses to background.js.
  • background.js:
    • Sends content.js collected email addresses to Kiron’s core component.
    • Monitors updates to webmail site-browser tabs to capture cookies, which are then exfiltrated to the C2 server.

Caiman: Advanced String Obfuscation

Community Identifiers: Grandoreiro
Type: Banking Trojan and Information Stealer

In September 2023, Caiman developers implemented a custom string obfuscation process designed to enhance the malware’s defense evasion capabilities. This new method marked a departure from the widely recognized XOR-based algorithm commonly used by other LATAM malware families.

String Obfuscation

In June 2024, Caiman developers introduced a sophisticated string decryption process (Figure 3) that combines Base64 encoding, a pseudo-random number generator (PRNG) and a custom XOR-based algorithm for enhanced obfuscation.

Similar Posts