Blank Grabber Returns With High Evasiveness – CYFIRMA

Published On : 2023-07-06

Blank Grabber Returns With High Evasiveness

EXECUTIVE SUMMARY

The CYFIRMA research team has identified an infostealer builder known as ‘Blank Grabber’ while monitoring threat actor discussions. It was released in 2022, however since then, it has been frequently updated – with 85 contributions to the project in the last one month alone. The infostealer targets Windows operating systems and possesses a wide range of capabilities aimed at stealing sensitive information from unsuspecting users (including Discord tokens, Steam and Epic sessions, browser data such as passwords, cookies, and history, as well as various other credentials and system information). The tool is also equipped with features to evade detection, disable security measures, and maintain persistence on compromised systems. Once deployed, the Blank Grabber can result in unauthorized access and theft of valuable information, including user credentials, intellectual property, and sensitive data, with potential damage, including financial losses, reputational harm, and compromised business operations.

INTRODUCTION

Blank Grabber was being vouched for by an experienced black hat malware developer/reverse engineer, who is a part of the “Stealer Developers” community. The developer of this infostealer has kept the project ‘open source’, which means that the priority of the operator is developing a reputation in the industry, rather than financial gains. The CYFIRMA research team has noted that threat actors have added this infostealer to their malware arsenal and are launching campaigns in the wild to compromise suitable targets. In this research report, we will talk about the capabilities of this malware and what organizations must do to proactively prevent these threats.

KEY FINDINGS

  • The malware builder is written in python3, and the compiled malware is written in C++.
  • The malware stub is often found using open-source python obfuscators to evade detection.
  • As more people have utilized the technology, Blank Grabber has evolved and become far more sophisticated, with feature additions improving its scope.
  • The developer is also considering enabling the infostealer to harvest Whatsapp data.
  • The infostealer is being maintained by multiple developers, including but not limited to the creator of the project that goes by the alias “Blank” and the admin of BlackForums that goes by the alias “Astounding”.
  • We noticed the abuse of services such as webhook[.]site, Discord and Telegram as C2s to log HTTP requests and subsequently exfiltrate data. The fact that no VPS is required by the malware makes it a highly lucrative alternative for many emerging threat actors.
  • The malware uses the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
  • We have observed that Blank Grabber is being distributed to end users using github repositories targeting users who are specifically into gaming : https://github.com/axstlinn/CELESTIAL-INJECTOR, https://github.com/theDEVVV/fps-booster-for-all-games.

BUILDER PANEL

The builder code is a batch script that checks for the presence of Python and several Python libraries and installs them if they are not found. The script then starts the Python script gui.py (the builder GUI).

Upon execution, the infostealer harvests all the data, compresses it and sends it over to the C2 as a password protected .rar file that has a hardcoded password.

Below are some of the key features of the infostealer:

  • GUI Builder.
  • UAC Bypass.
  • Custom Icon.
  • Runs On Startup.
  • Disables Windows Defender.
  • Anti-VM.
  • Blocks AV-Related Sites.
  • Melt Stub.
  • Fake Error.
  • EXE Binder.
  • Obfuscated Stub.
  • Discord Injection.
  • Grabs Discord Tokens.
  • Grabs Steam Session.
  • Grabs Epic Sessions.
  • Grabs Passwords from Multiple Browsers.
  • Grabs Cookies from Multiple Browsers.
  • Grabs History from Multiple Browsers.
  • Grabs Minecraft Session Files.
  • Grabs Telegram Session Files.
  • Grabs Wallets.
  • Grabs Roblox Cookies.
  • Grabs IP Information.
  • Grabs System Info.
  • Grabs Saved Wi-Fi Passwords.
  • Steals Common Files.
  • Captures Screenshot of all the Displays.
  • Captures Webcam Image.
  • Sends All Data Through Discord Webhooks/Telegram Bot.

ETLM

Threat Actor Profile: The operators behind the Blank Grabber infostealer are advanced and skilled malware developers, possessing a deep understanding of evasion techniques and data exfiltration methods. Their motivation is likely to build a rapport within the cybercriminal community as an entry strategy to a larger threat actor group.

Threat Landscape: The threat landscape for information stealers like the Blank Grabber is evolving and increasingly sophisticated. Cybercriminals continuously develop and distribute such tools to exploit vulnerabilities in systems and applications. The widespread use of social engineering, phishing, and malware distribution techniques amplify the risk of users inadvertently downloading and executing such stealers. Threat actors may leverage underground markets and forums to sell stolen information or use it for further malicious activities. The infostealer is being maintained by multiple developers, including the creator using the alias “Blank” and a developer/admin of BlackForums, known as “Astounding”. It is worth noting that a black hat group known as “Threatsec” is affiliated with Blackforums, so it is likely that they have employed this stealer in their malware arsenal.

Victimology: As the malware has been gifted to the cybercriminal community by the developers, absolutely anyone is able to deploy it. Threat actors are already using the infostealer for exfiltrating data from unsuspecting users, as well as binding it with their own malware.

Note: CYFIRMA team was able to get the RAT being discussed above. The malware is being detected by only 1 out of 69 AV vendors. Kindly refer to the IOCs section for hash values of the RAT.

DIAMOND MODEL

Impact Assessment: The impact of the Blank Grabber infostealer can be severe for organizations. It has the potential to compromise sensitive information, including user credentials, intellectual property, and financial data. The theft of such information can lead to financial losses, reputational damage, regulatory non-compliance, and legal consequences. Additionally, the deployment of the stealer can disrupt business operations, compromise network security, and undermine customer trust. Timely detection, effective incident response, and preventive measures are crucial to minimizing the impact of such threats.

CONCLUSION

The Blank Grabber infostealer represents a significant and evolving threat in today’s external threat landscape. Its advanced capabilities (including data exfiltration, system compromise, and evasion techniques) pose a grave risk to organizations and individuals alike, and the implications of falling victim are severe, from financial losses and reputational damage, to legal consequences and compromised business operations. Mitigating this threat requires a multi-faceted approach, including robust endpoint protection, employee awareness training, secure configurations, and incident response planning. Continual vigilance, proactive security measures, and staying informed about emerging threats are essential in safeguarding against infostealers like the Blank Grabber.

IOCs

No. Indicator Type Comments
1 7b026e20696754040ff390afa8356b6b md5 Compiled Malware
2 4949588f7ee9ce7bc4a8408982865e1a5192284c sha1 Compiled Malware
3 094e9745af4bf22f6ce77e3f23b722edd03e447f3810ee66de64cf5ce32f1a9e sha256 Compiled Malware
4 5ade6e0edac7caf4c1913d717009f954 md5 Compiled Malware
5 6b871b4522ab28435635aeb316b47254c4e20ea7 sha1 Compiled Malware
6 1196c0ab10592a87191900cafe69b19e6c44f16252236d9290d5b63747876b4d sha256 Compiled Malware
7 8efb75694b0150fd63d1e097b0340048 md5 Builder
8 40c06827cb7aab0287ac60b2d884521ebdc87cf2 sha1 Builder
9 ca63867458c6dbd78c68612106068ee6dd786852fc6c7bb488840045d983c134 sha256 Builder
10 e1c8233b71f5b4befa0605a036c2439f md5 RAT used with Blank Grabber
11 3c1ed3b56c662706f8817e62cd2f9c4466596d9a sha1 RAT used with Blank Grabber
12 7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8 sha256 RAT used with Blank Grabber

SIGMA RULE(S)

1. Detects any attempts by malware to perform reconnaissance about security products using Wmic.EXE

title: Product Reconnaissance via Wmic.EXE status: experimental
description: Detects the execution of WMIC in order to get a list of firewall and antivirus software
author: CYFIRMA_RESEARCH date: 2023/07/06
tags:
– attack.execution
– attack.t1047 logsource:
category: process_creation
product: windows detection:
selection_img:
– Image|endswith: ‘wmic.exe’ – OriginalFileName: ‘wmic.exe’
selection_cli: CommandLine|contains: ‘Product’
condition: all of selection_* falsepositives:
– Unknown level: medium

2. Detects any attempts by malware to disable Windows Defender Functionalities via Registry Keys

title: Disable Windows Defender Functionalities Via Registry Keys status: experimental
description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry
date: 2022/08/01 modified: 2023/05/10 tags:
– attack.defense_evasion
– attack.t1562.001 logsource:
product: windows
category: registry_set detection:
selection_main: EventType: SetValue TargetObject|contains:
– ‘SOFTWAREMicrosoftWindows Defender’
– ‘SOFTWAREPoliciesMicrosoftWindows Defender Security Center’ – ‘SOFTWAREPoliciesMicrosoftWindows Defender’
selection_dword_1: TargetObject|endswith:
– ‘DisableAntiSpyware’
– ‘DisableAntiVirus’
– ‘Real-Time ProtectionDisableBehaviorMonitoring’
– ‘Real-Time ProtectionDisableIntrusionPreventionSystem’ – ‘Real-Time ProtectionDisableIOAVProtection’
– ‘Real-Time ProtectionDisableOnAccessProtection’
– ‘Real-Time ProtectionDisableRealtimeMonitoring’
– ‘Real-Time ProtectionDisableScanOnRealtimeEnable’ – ‘Real-Time ProtectionDisableScriptScanning’
– ‘ReportingDisableEnhancedNotifications’
– ‘SpyNetDisableBlockAtFirstSeen’
Details: ‘DWORD (0x00000001)’ selection_dword_0:
TargetObject|endswith:
– ‘App and Browser protectionDisallowExploitProtectionOverride’
– ‘FeaturesTamperProtection’
– ‘MpEngineMpEnablePus’
– ‘PUAProtection’
– ‘Signature UpdateForceUpdateFromMU’
– ‘SpyNetSpynetReporting’
– ‘SpyNetSubmitSamplesConsent’
– ‘Windows Defender Exploit GuardControlled Folder AccessEnableControlledFolderAccess’
Details: ‘DWORD (0x00000000)’
condition: selection_main and 1 of selection_dword_*
falsepositives:
– Administrator actions via the Windows Defender interface
level: high

MITRE MAPPING

Sr. No Tactics Techniques Procedures
1 TA0002- Execution T1047:  Windows Management Instrumentation
  • Queries BIOS Information (via WMI, Win32_Bios)
  • Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
  • Writes or reads registry keys via WMI
  • Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • Queries process information (via WMI, Win32_Process)
  • Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • Checks if Antivirus program is installed (via WMI)
    T1059: Command and Scripting Interpreter
  • Uses cmd line tools excessively to alter registry or file data
  • Accept command line arguments
  • Very long cmdline option found, this is very uncommon (may be encrypted or packed)
    T1129: Shared Modules
  • Link function at runtime on Windows
  • Link many functions at runtime
  • Parse PE header
2 TA0003- Persistence T1574.002: DLL Side-Loading Tries to load missing DLLs
3 TA0004- Privilege Escalation T1574.002: DLL Side-Loading Tries to load missing DLLs
4 TA0005- Defense Evasion T1027: Obfuscated Files or Information
  • Encode data using XOR
  • Sample is packed with UPX
  • Binary may include packed or crypted data
    T1027.002: Software Packing
  • PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
  • Sample is packed with UPX
  • Binary may include packed or crypted data
    T1070.006: Timestomp Binary contains a suspicious time stamp
    T1112: Modify Registry Uses reg.exe to modify the Windows registry
    T1497: Virtualization/Sandbox Evasion
  • Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
  • Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • May sleep (evasive loops) to hinder dynamic analysis
  • Contains long sleeps (>= 3 min)
  • Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • Contains medium sleeps (>= 30s)
    T1562.001: Disable or Modify Tools
  • Uses netsh to modify the Windows network and firewall settings
  • Adds a directory exclusion to Windows Defender
    T1574.002: DLL Side-Loading Tries to load missing DLLs
5 TA0006- Credential Access T1003: OS Credential Dumping Tries to harvest and steal browser information (history, passwords, etc)
    T1056: Input Capture Creates a DirectInput object (often for capturing keystrokes)
6 TA0007- Discovery T1010: Application Window Discovery Sample monitors Window changes (e.g. starting applications)
    T1016: System Network Configuration Discovery Checks the online ip address of the machine
    T1018: Remote System Discovery Reads the hosts file
    T1057: Process Discovery
  • Queries a list of all running processes
  • Uses tasklist.exe to query information about running processes
    T1082: System Information Discovery
  • Queries BIOS Information (via WMI, Win32_Bios)
  • Query environment variable
  • Get disk information
  • Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • Queries process information (via WMI, Win32_Process)
  • Queries the cryptographic machine GUID
  • Reads software policies
  • Queries the volume information (name, serial number etc) of a device
  • Uses systeminfo.exe to query system information
    T1083: File and Directory Discovery
  • Get common file path
  • Get file size
  • Enumerate files on Windows
  • Reads ini files
    T1497: Virtualization/Sandbox Evasion
  • Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
  • Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • May sleep (evasive loops) to hinder dynamic analysis
  • Contains long sleeps (>= 3 min)
  • Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • Contains medium sleeps (>= 30s)
    T1518.001: Security Software Discovery
  • Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
  • Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • AV process strings found (often used to terminate AV products)
  • May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
  • Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • Checks if Antivirus program is installed (via WMI)
7 TA0009- Collection T1005: Data from Local System
  • Found many strings related to Crypto-Wallets (likely being stolen)
  • Tries to harvest and steal browser information (history, passwords, etc)
    T1056: Input Capture
  • Creates a DirectInput object (often for capturing keystrokes)
    T1115: Clipboard Data
  • Creates a window with clipboard capturing capabilities
8 TA0011- Command and Control T1071: Application Layer Protocol
  • Downloads files from webservers via HTTP
  • Performs DNS lookups
  • Uses HTTPS
    T1095: Non-Application Layer Protocol
  • Downloads files from webservers via HTTP
  • Performs DNS lookups
    T1105: Ingress Tool Transfer
  • Downloads files from webservers via HTTP
    T1573: Encrypted Channel
  • Uses HTTPS for network communication
  • Uses HTTPS

HOW TO RECOVER?

  • Change All of your passwords that you had stored on your PC.
  • Go to the common startup directory by pressing Win + R to open the run dialog box and then typing shell:common startup in it. Now delete All files you see there with the .scr extension (you may want to enable show file extension for this).
  • Open the Local folder by typing %localappdata% in the run dialog box. Delete any folder whose name contains the word “discord” and then reinstall discord.
  • Check if your AV sites have been blocked or not, by going here. If you cannot access this site, then this means your access is blocked. If so, then follow this (you would need to install Python for this).

RECOMMENDATIONS

Tactical:

  • Endpoint Protection: Deploy and regularly update robust endpoint protection solutions with real-time threat detection capabilities. This includes antivirus, anti- malware, and host intrusion prevention systems (HIPS). Ensure that these tools are configured to scan for known indicators of compromise (IOCs) associated with the Blank Grabber.
  • Network Monitoring: Implement network monitoring solutions that can detect unusual or suspicious network traffic patterns. This helps in identifying potential data exfiltration attempts by the Blank Grabber. Intrusion detection and prevention systems (IDPS) can also be employed to detect and block malicious activities.
  • Web Filtering: Employ web filtering solutions that block access to known malicious websites and domains associated with the Blank Grabber and similar threats. Regularly update the web filtering rules to stay protected against emerging threats.

Strategic:

  • Threat Intelligence: Establish relationships with trusted threat intelligence providers to receive timely updates on emerging threats, including information related to the Blank Grabber. Leverage this intelligence to enhance security controls and proactively identify potential risks.
  • Vulnerability Management: Implement a comprehensive vulnerability management program to regularly scan and patch systems, applications, and software. Keep abreast of vendor security advisories to address known vulnerabilities that could be exploited by Blank Grabber.
  • Security Training and Awareness: Conduct regular security awareness programs to educate employees about the risks associated with social engineering, phishing attacks, and the use of malicious software. Foster a culture of security consciousness and ensure employees understand their role in safeguarding sensitive information.

Management:

  • Incident Response Planning: Develop and regularly update an incident response plan specific to dealing with data breaches and malware incidents. Define roles and responsibilities, establish communication channels, and conduct regular tabletop exercises to test the effectiveness of the plan.
  • Security Governance: Establish a robust security governance framework that includes policies, standards, and procedures to govern the organization’s security posture. This framework should cover areas such as access control, data classification, encryption, and third-party risk management.
  • Regular Auditing and Testing: Conduct regular security audits, vulnerability assessments, and penetration testing to identify potential vulnerabilities and weaknesses in the organization’s defenses. This enables proactive remediation of security gaps and ensures ongoing security resilience.

Source: https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/