BlankGrabber Stealer Uses Fake Certificate Loader to Hide Malware Delivery
Key Takeaways BlankGrabber, a Python-based information stealer, is using a sophisticated, multi-stage delivery method disguised as a legitimate certificate installation process. The malware targets a...
Key Takeaways
- BlankGrabber, a Python-based information stealer, is using a sophisticated, multi-stage delivery method disguised as a legitimate certificate installation process.
- The malware targets a wide array of sensitive data, including browser credentials, cryptocurrency wallets, and even webcam snapshots, while also deploying the XWorm remote access Trojan.
- BlankGrabber employs advanced evasion techniques, such as anti-sandbox checks, obfuscation layers, and Windows Defender disabling, making detection challenging.
- Individuals and organizations are primarily affected through social engineering tactics like fake software downloads and malicious archives.
BlankGrabber Stealer Leverages Fake Certificate Loader for Covert Malware Delivery
A sophisticated Python-based information stealer known as BlankGrabber has been observed deploying its multi-stage malware through a deceptive certificate loader. This technique allows the threat to masquerade its malicious activities as a routine system operation, significantly enhancing its stealth.
Table Of Content
First identified in 2023, BlankGrabber has continuously evolved, becoming more complex and adept at evading detection. Its primary targets are everyday users, often reached through popular online platforms.
Extensive Data Theft Capabilities
BlankGrabber is engineered for comprehensive data exfiltration. It systematically targets a broad spectrum of sensitive user information, including browser credentials, session tokens, saved passwords, clipboard contents, and Wi-Fi network keys. Beyond standard data, it also seeks out cryptocurrency wallet data, captures screenshots, and even takes snapshots from webcams.
The malware’s modular architecture provides threat actors with considerable flexibility to customize their attacks. Its rapid development cycle further contributes to its ability to bypass many traditional security solutions.
Unmasking the Deceptive Infection Mechanism
Security analysts at Splunk recently uncovered a BlankGrabber loader sample hosted on the Gofile[.]io file-sharing platform. Upon closer examination, what initially appeared to be a standard certificate installation script was revealed to be a cleverly concealed, multi-layer infection mechanism. The loader exploits certutil.exe, a legitimate Windows utility, to decode what superficially resembles certificate data.
In reality, this encoded content contains a compiled Rust-based stager. This stager is responsible for decrypting and launching the final malicious payload, adding another layer of obfuscation to the attack chain.
Propagation and Evasion Tactics
BlankGrabber predominantly spreads through social engineering and phishing campaigns. Attackers distribute it via fraudulent “cracked” software downloads, malicious archives shared on platforms like Discord, and deceptive GitHub repositories designed to mimic legitimate utilities.
Once a user executes the malicious file, the infection process silently initiates in the background. It navigates through multiple layers of obfuscation, specifically designed to evade detection by security software. The malware also drops XWorm, a remote access Trojan, alongside itself. This dual payload provides attackers with both extensive data theft capabilities and persistent remote control over the compromised system.
Advanced Evasion and Persistence
The infection begins with a batch file loader that leverages certutil.exe to decode what appears to be certificate information. This encoded data is, in fact, a compiled Rust stager. Upon execution, the stager performs rigorous environment checks, comparing system drivers, usernames, and computer names against a hardcoded blacklist of sandbox identifiers such as “Triage,” “Zenbox,” and “Sandbox.” If any of these are detected, the malware terminates to prevent analysis.
Should the stager confirm it is operating in a genuine user environment, it proceeds to drop a self-extracting RAR archive into the %TEMP% folder. This archive contains two critical malicious components: the XWorm remote access client (host.exe) and the BlankGrabber stealer (Knock.exe). To maintain stealth, the dropped executable receives a randomly generated name that mimics legitimate Windows processes, such as OneDriveUpdateHelper.exe or SteamService.exe.
The BlankGrabber payload itself is packaged using PyInstaller, transforming the original Python script into a standalone executable. Within this package lies an encrypted file, “blank.aes,” which holds the true payload. A custom AES-GCM algorithm, utilizing a hardcoded key and initialization vector, decrypts this file at runtime. Following decryption, a second-stage script named “stub-o.pyc” emerges, further protected by Base64 encoding, ROT13, and string reversal for enhanced obfuscation.
To ensure unimpeded operation, BlankGrabber actively disables Windows Defender’s real-time protection and removes antivirus signatures through PowerShell commands. It also modifies the Windows hosts file to block access to security-related websites by redirecting them to 0.0.0.0. For persistence, the malware places a copy of its payload in the startup folder, ensuring it relaunches with every system reboot.
What You Should Do
- Monitor
certutil.exeUsage: Watch for instances wherecertutil.exeis used to decode data that is not legitimate certificate information. - Scrutinize WinRAR Activity: Be alert to WinRAR executions originating from outside its standard installation directories.
- Detect PowerShell Defender Commands: Implement monitoring for PowerShell commands designed to disable Windows Defender or modify its settings.
- Review DNS Queries: Investigate unusual DNS queries directed towards Telegram’s API or known file-sharing services, which could indicate C2 communication or data exfiltration.
- Maintain System Patches: Ensure all operating systems and software applications are kept fully updated with the latest security patches.
- Block Unauthorized File Sharing: Implement network policies to restrict or block access to unapproved file-sharing platforms.
- Enforce Application Allowlisting: Deploy strict application allowlisting to prevent the execution of unauthorized programs.
- Educate Users: Provide ongoing training to users on identifying and avoiding social engineering tactics, phishing attempts, and suspicious downloads.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.