Home Malware Programs Downloaders Grinju Downloader

Grinju Downloader

Posted: October 15, 2020

The Grinju Downloader is a peculiar Trojan that uses outdated Microsoft Excel features to hide its execution and leave the victim with the impression that they ran into some trouble while viewing a spreadsheet. Many malware families rely on 'Macro Scripts' embedded inside Microsoft Office files to aid their execution. Usually, the script in question is embedded inside the 'Macro' function of modern Microsoft Office variants, and many anti-malware products check this specific section for corrupted indicators. The Grinju Downloader, however, uses a different Microsoft Excel strategy. When a user opens the corrupted document, they will see the default sheet called 'sheet1,' which is accompanied by a second sheet called 'ij3Lv.' The latter appears to be empty, but this is not entirely true – its contents are found around Column 40 and Row 3887. Even if the user zooms out trying to look for any content, they are unlikely to spot anything.

The Grinju Downloader Uses a Peculiar Method to Execute a Corrupted Macro

But what does the mysterious 'ij3Lv' sheet contain? This is where the Grinju Downloader's macro resides in. Shortly explained, the macro is spread across several cells that will be executed in a specific order to achieve the final result, which is:

  • Writes a VBS file to the hard drive.
  • Writes a '.txt' file to the hard drive.
  • Uses the text file's contents and then deletes it.
  • Corrupts the compromised Microsoft Excel file, so it cannot be viewed again.

The last stage is a very interesting strategy since it ensures that the victim will not be able to submit the suspicious file for anti-malware analysis if they have already fallen victim to the attack.

So, what is the text file that the Grinju Downloader uses? It is a file whose contents are limited to just one character – '1.' The macro script found in the Excel sheet will write the text file's value to the Windows Registry and, in particular, in the section involving Microsoft Excel's security warnings. Setting up a specific registry key to '1' ensures that Microsoft Excel will run macros without any notification/confirmation, a major security concern.

Grinju Checks the Windows Architecture to Determine the Payload to Launch

Next, the Grinju Downloader executes a spreadsheet cell whose contents are meant to get the Windows environment and differentiate between 32-bit and 64-bit – depending on the architecture, it will choose the next cell to execute, ensuring that the correct payload will be delivered. This also allows the Grinju Downloader to easily avoid non-Windows systems.

Usually, Trojan Downloaders follow very similar strategies to do their job, but the Grinju Downloader author certainly brings some new and interesting strategies to the table. Although this malware has not been involved in large-scale campaigns yet, it is possible it may inspire other malware developers to come up with modified and more advanced versions of the Grinju Downloader. It is recommended to keep your system safe by using the protection services of an up-to-date anti-virus service.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Grinju Downloader may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.