BlankGrabber’s Evolving Threat: An In-Depth Analysis of Its New Techniques
The operators behind BlankGrabber are employing an innovative strategy that leverages a fabricated “certificate” loader, leading to a more intricate and stealthy infection process involving Rust and Python code. This shift is making it significantly more challenging for security professionals to detect this commodity stealer on Windows endpoints.
Advanced Evasion Tactics
The latest approach adopted by BlankGrabber utilizes an array of built-in Windows tools, notably certutil.exe, combined with heavily obfuscated PyInstaller stubs. This sophisticated technique has been optimized for stealth, employing methods such as covert exfiltration through Telegram and various public web services. This multifaceted strategy aims to evade both static and behavioral detection mechanisms typically employed by antivirus solutions.
Upon initial inspection, the malicious script appears to decode data and use certutil.exe to install what seems to be a legitimate Windows certificate. However, further scrutiny reveals that this supposedly benign installation is merely a ruse. The encoded data is actually a compiled Rust executable, functioning as a stager that decrypts and executes the real malicious payload.
The Splunk Threat Research Team (STRT) has investigated recent BlankGrabber campaigns and uncovered that they often start with a batch script hosted on Gofile.io, a file-sharing service. This initial step is crucial for the subsequent infection stages. The Rust stager, designed cleverly to mimic certificate data, only unveils its malicious intent once the code is executed in memory.
Avoiding Detection
To further enhance its stealth, the malware incorporates anti-sandboxing mechanisms. This includes checks for signs of automated analysis environments, looking for specific driver names, usernames, and computer identifiers that could indicate the presence of a sandbox. Names such as “Triage,” “Sandbox,” and “Malware” trigger the malware to avoid activation, thereby avoiding detection during preliminary analysis.
Once confirmed to be operating on a genuine victim system, BlankGrabber takes further action by creating a self-extracting RAR (SFX) archive within the %TEMP% directory. This archive is camouflaged under innocuous filenames like OneDriveUpdateHelper.exe or RuntimeBroker.exe, making it blend seamlessly with legitimate processes.
The Combination of XWorm and BlankGrabber
Interestingly, the SFX archive contains multiple components, including an XWorm remote-access client and the PyInstaller-packed BlankGrabber stealer, also known as Knock.exe. This unique packaging offers attackers the capability for both remote control and large-scale data theft simultaneously, facilitating lateral movement through victim systems while maintaining operational persistence.
Originally crafted as a modified open-source Python infostealer, BlankGrabber utilizes a graphical user interface (GUI) builder to amalgamate Python code, third-party libraries, and embedded tools into a single executable file. According to STRT’s detailed analysis, the PyInstaller bundle conceals an encrypted data blob named "blank.aes," which is decrypted in real time using a customized AES routine. This process reconstructs the next stage ZIP archive, further obfuscating the malicious intent.
Once fully unpacked, the BlankGrabber stealer conducts an extensive series of environmental checks to identify whether it is running in a virtual machine or a controlled security setup. It performs these checks by examining UUIDs, network adapter vendors, and connecting to random domains to analyze simulated internet responses.
Targeting Personal Information
The primary goal of BlankGrabber is data theft, and it accomplishes this through various technical maneuvers. It extracts user information by executing commands that gather system data, such as using systeminfo and WMI queries. This allows it to profile the victim comprehensively, including extracting saved Wi-Fi passwords and capturing webcam footage.
In its operation, the stealer meticulously parses databases from popular browsers like Chromium and Firefox to extract passwords, cookies, and other sensitive autofill data. Furthermore, it extends its reach to popular platforms such as Telegram, Discord, Steam, and Epic Games, effectively scraping crypto-wallet extensions and collecting various types of documents and credential files. Alarmingly, all gathered data is archived using an embedded rar.exe utility, secured with the password "Blank123," before being exfiltrated.
Evasion and Persistence Mechanisms
BlankGrabber exhibits aggressive tactics to ensure it remains undetected and persistent on compromised systems. It modifies the Windows hosts file to block antivirus and security-related websites, disables various Windows Defender protections through PowerShell, and excludes its working directory from Defender’s scrutiny.
Additionally, BlankGrabber employs a registry-based User Access Control (UAC) bypass to re-launch itself with elevated privileges and ensures ongoing presence by installing copies of its payload in startup folders, mitigating the risk of being removed after a reboot.
To assist defenders in tracking this malware, Splunk has provided various analytics tools that detect behaviors characteristic of BlankGrabber. These include alerts for unauthorized registry access, suspicious domain queries, and unusual file access patterns, notably focusing on certutil-associated installations that lead to the deployment of Rust-based binaries.
Conclusion
As cyber threats evolve, understanding malware such as BlankGrabber is critical for cybersecurity professionals. Its blend of obfuscation, evasion, and data theft tactics underscores the need for continuous vigilance and innovative detection methods in the battle against sophisticated malicious software. The concerted efforts of teams like Splunk’s Threat Research Team are crucial in identifying and mitigating these threats before extensive damage can be inflicted.