BlankGrabber Stealer Employs Fake Certificate Loader to Conceal Malware Delivery Chain
A sophisticated Python-based information stealer, known as BlankGrabber, has been identified utilizing a deceptive certificate loader to mask a complex, multi-stage malware delivery process. Initially discovered in 2023, BlankGrabber has evolved significantly, continuing to target unsuspecting users through popular online platforms.
Comprehensive Data Theft Capabilities
BlankGrabber is engineered to extract a wide array of sensitive information from compromised systems. Its capabilities include harvesting browser credentials, session tokens, saved passwords, clipboard contents, Wi-Fi passwords, cryptocurrency wallet data, screenshots, and webcam snapshots. The malware’s modular architecture allows cybercriminals to customize their attacks, enhancing its effectiveness. Its rapid development cycle has enabled it to evade detection by many traditional security solutions.
Sophisticated Infection Mechanism
Security analysts at Splunk uncovered a BlankGrabber loader hosted on the Gofile[.]io file-sharing platform. Upon examination, what appeared to be a standard certificate installation script was, in reality, a cleverly disguised multi-layer infection mechanism. The loader exploited `certutil.exe`, a legitimate Windows utility, to decode content that mimicked certificate data. However, this encoded content concealed a compiled Rust-based stager designed to decrypt and execute the final malicious payload.
Distribution Tactics
BlankGrabber primarily spreads through social engineering and phishing campaigns. Attackers distribute the malware via counterfeit cracked software downloads, malicious archives shared on platforms like Discord, and fraudulent GitHub repositories that mimic legitimate utilities. Once a user executes the file, the infection chain initiates silently in the background, employing multiple obfuscation layers to evade detection by security tools.
Potential Impact on Victims
A successful BlankGrabber infection can have severe consequences. Victims risk losing access to browser accounts, financial platforms, and personal files. Additionally, the malware deploys XWorm alongside itself, granting attackers both data theft capabilities and persistent remote control over the compromised machine.
Deceptive Infection Mechanism and Detection Evasion
The infection process begins with a batch file loader that utilizes `certutil.exe` to decode content resembling certificate data. This content is, in fact, a compiled Rust stager. Upon execution, the stager performs a series of environment checks, comparing the system’s drivers, usernames, and computer names against a hardcoded list of sandbox identifiers such as Triage, Zenbox, and Sandbox. If any of these identifiers are detected, the malware terminates to avoid detection.
Once the stager confirms the system is genuine, it drops a self-extracting RAR archive into the `%TEMP%` folder. This archive contains two malicious files: the XWorm remote access client (`host.exe`) and the BlankGrabber stealer (`Knock.exe`). To blend in, the dropped file is given a random name resembling a legitimate Windows process, such as `OneDriveUpdateHelper.exe` or `SteamService.exe`.
The BlankGrabber payload is packed using PyInstaller, converting the original Python script into a standalone executable. Within the package is an encrypted file named `blank.aes`, which stores the actual payload. A customized AES-GCM algorithm with a hardcoded key and initialization vector decrypts this file at runtime. Once decrypted, a second-stage script named `stub-o.pyc` is executed, further advancing the infection process.
Broader Context: Abuse of Code-Signing Certificates
The tactics employed by BlankGrabber are part of a broader trend where cybercriminals abuse legitimate code-signing certificates to evade detection. By exploiting genuine certificates, attackers can make malicious software appear trustworthy, thereby bypassing security measures. This method has been observed in various malware campaigns, including those involving Lumma Stealer and Rhadamanthys Stealer. In these instances, threat actors have used authentic code-signing certificates to sign their malware, significantly reducing detection rates by security products. This evolution in tactics underscores the need for multi-layered detection strategies, including behavior monitoring and in-memory scanning on endpoints.
Conclusion
The BlankGrabber stealer exemplifies the increasing sophistication of modern malware. By leveraging deceptive techniques such as fake certificate loaders and abusing legitimate code-signing certificates, it effectively conceals its malicious activities. This underscores the critical importance of robust cybersecurity practices, including user education, vigilant monitoring, and the implementation of advanced detection mechanisms to counteract such evolving threats.
