Threat Research

Blank Grabber Returns With High Evasiveness – CYFIRMA

Securonix

The CYFIRMA report identifies Blank Grabber as an open-source infostealer builder (reintroduced with high evasiveness) that targets Windows and constantly evolves with new features. It emphasizes its data-exfiltration capabilities, evasion techniques, and use of Discord/Telegram as command-and-control channels, with distribution focused on gaming communities. #BlankGrabber #CYFIRMA

Keypoints

  • The malware builder is written in Python3, and the compiled malware is written in C++.
  • The malware stub is often found using open-source python obfuscators to evade detection.
  • Blank Grabber has evolved with more features as more people use the technology, increasing its sophistication.
  • The developer contemplates adding the ability to harvest WhatsApp data.
  • Multiple developers maintain the project, including aliases “Blank” and “Astounding.”
  • Threat actors abuse Discord webhooks and Telegram as C2 channels to log HTTP requests and exfiltrate data; it operates without requiring a VPS.
  • WMIC is used to gather extensive system information (OS, CPU, GPU, BIOS, etc.), aiding environment fingerprinting.
  • Distribution targets gamers via GitHub repositories such as Celestial Injector and FPS booster projects.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – The malware uses the WMIC utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. “the malware uses the WMIC utility to identify and display various system information, including OS, CPU, GPU, and disk drive names…”
  • [T1059] Command and Scripting Interpreter – The builder is a batch script that checks for Python and libraries and installs them if absent. “The builder code is a batch script that checks for the presence of Python and several Python libraries and installs them if they are not found.”
  • [T1562.001] Disable or Modify Tools – Uses Windows defense evasion techniques, including disabling Defender. “Disables Windows Defender.”
  • [T1574.001] DLL Side-Loading – The malware loads missing DLLs and relies on dynamic linking. “Tries to load missing DLLs.”
  • [T1027] Obfuscated Files or Information – Obfuscated stub and packers are used to evade detection. “Obfuscated Stub.” and “Sample is packed with UPX.”
  • [T1497] Virtualization/Sandbox Evasion – Performs checks to detect virtualized environments and evasion behaviors. “Anti-VM” and related VM-detection activity.
  • [T1562.001] Disable or Modify Tools – Reiterated for defender/disabling capabilities. “AV process strings found (to terminate AV) and VM checks.”
  • [T1003] OS Credential Dumping – Harvests credentials such as browser data; broader credential access. “Grabs Passwords from Multiple Browsers.”
  • [T1016] System Network Configuration Discovery – Extracts the machine’s IP information. “Grabs IP Information.”
  • [T1018] Remote System Discovery – Reads the hosts file to map remote systems. “Reads the hosts file.”
  • [T1057] Process Discovery – Queries lists of running processes; uses tasklist to gather process data. “Queries a list of all running processes” and “Uses tasklist.exe…”
  • [T1082] System Information Discovery – Broad discovery including BIOS, environment variables, disk info, and more. “Queries BIOS Information… get disk information” and others.
  • [T1083] File and Directory Discovery – Enumerates files and directories and reads config files. “Enumerate files on Windows” and “Reads ini files.”
  • [T1518.001] Security Software Discovery – Detects installed security tools and VM indicators. “AV process strings found” and “Checks if Antivirus program is installed.”
  • [T1071.001] Application Layer Protocol – Uses web services for C2 (Discord webhooks/Telegram bot) and data transfer. “Sends All Data Through Discord Webhooks/Telegram Bot” and “Uses HTTPS” via web protocols.
  • [T1053/T1071.001] Ingress Tool Transfer / Encrypted Channel – Downloads files and communicates via encrypted channels (HTTPS). “Downloads files from webservers via HTTP” and “Uses HTTPS.”
  • [T1573] Encrypted Channel – Uses HTTPS for network communication. “Uses HTTPS for network communication.”

Indicators of Compromise

  • [MD5] Compiled Malware – 7b026e20696754040ff390afa8356b6b, 5ade6e0edac7caf4c1913d717009f954, and 2 more hashes (as listed in the IOCs table).
  • [SHA1] Compiled Malware – 4949588f7ee9ce7bc4a8408982865e1a5192284c, 6b871b4522ab28435635aeb316b47254c4e20ea7, and 2 more hashes.
  • [SHA256] Compiled Malware – 094e9745af4bf22f6ce77e3f23b722edd03e447f3810ee66de64cf5ce32f1a9e, 1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d, and 2 more hashes.
  • [SHA256] Builder – ca63867458c6dbd78c68612106068ee6dd786852fc6c7bb488840045d983c134, and 2 more hashes.
  • [MD5] Builder – 8efb75694b0150fd63d1e097b0340048, and 1 more hash.
  • [MD5] RAT used with Blank Grabber – e1c8233b71f5b4befa0605a036c2439f, and 1 more hash.
  • [Other] RATs/Associated Files – 3c1ed3b56c662706f8817e62cd2f9c4466596d9a, 7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8 (examples for RATs associated with the Blank Grabber)

Read more: https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint