Torg Grabber Malware Evolves to Encrypted REST API for C2 Operations

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers

Summary

Torg Grabber, an information-stealing malware, has transitioned from using Telegram for data exfiltration to a more sophisticated encrypted REST API command-and-control (C2) channel, now utilizing Cloudflare for obfuscation. This malware, initially identified as a variant of Vidar, has demonstrated rapid evolution, with 334 samples compiled in just three months and over 40 confirmed operator tags found within its binaries. The malware primarily targets credentials and sensitive information, affecting various systems and users. The shift to a more secure C2 infrastructure indicates a significant advancement in its operational capabilities, raising concerns among cybersecurity professionals. The malware's development pace suggests a well-organized operation behind it, potentially posing a high risk to organizations that may fall victim to its tactics. Current status indicates ongoing monitoring and analysis as the threat landscape evolves. Key Points: • Torg Grabber has evolved from Telegram-based exfiltration to an encrypted REST API C2. • Over 334 samples of Torg Grabber have been compiled in just three months. • The malware targets credentials and sensitive information, posing a significant risk to users.

Key Entities

• Malware (attack_type)
• Torg Grabber (malware)
• Vidar (malware)
• T1071 - Application Layer Protocol (mitre_attack)
• Cloudflare (company)
• Telegram (platform)