Torg Grabber - New Malware Transitions to Encrypted C2 Infrastructure
Basically, Torg Grabber is a new type of malware that steals passwords and data from your computer.
A new malware called Torg Grabber has emerged, evolving from Telegram data exfiltration to a sophisticated encrypted C2. It targets various browsers, stealing sensitive credentials and posing significant risks. Users and organizations must stay vigilant against this growing threat.
What Happened
A new Malware-as-a-Service (MaaS) credential stealer named Torg Grabber has emerged, showcasing rapid evolution in just three months. Initially, it utilized Telegram for data exfiltration but has now upgraded to a fully encrypted REST API command-and-control (C2) infrastructure. In this short time, researchers have identified 334 samples of the malware, revealing its widespread use among cybercriminals. The malware's name derives from one of its primary C2 domains, technologytorg.com, with 'torg' meaning 'trade' in Russian, aptly reflecting its purpose in the cybercrime marketplace.
The malware was first discovered when a sample was mistakenly labeled as Vidar Stealer. However, a closer examination revealed it was a different entity altogether, marked by a unique debug string and a different architecture. Researchers from Gen Digital's Threat Research Team confirmed its identity after analyzing its binary structure.
Who's Being Targeted
Torg Grabber casts a wide net, targeting credentials from 25 Chromium-based browsers and 8 Firefox-family browsers. It collects data from over 850 browser extensions, including those for cryptocurrency wallets and two-factor authentication tools. Additionally, it gathers session data from popular platforms like Discord, Telegram, and Steam. The malware even checks for 46 antivirus signatures across 24 security products before initiating its data collection, demonstrating its sophisticated evasion tactics.
The malware's development has been swift, evolving through three distinct phases of exfiltration. Initially, it sent stolen data to private Telegram channels using the Telegram Bot API. Later, it switched to a raw TCP socket protocol before finally transitioning to a production-grade REST API over HTTPS, making detection and blocking much more challenging.
Signs of Infection
Torg Grabber does not infiltrate systems alone; it is delivered through a multi-stage loader chain. The first stage, known as the dropper, often masquerades as fake game cheats or cracked software. Once executed, it triggers a hidden PowerShell command that initiates a download through Windows' svchost.exe, blending in with legitimate traffic.
The subsequent stages involve self-extracting loaders and in-memory execution, ensuring that the actual stealer payload remains undetected on disk. By the time the final stage activates, the malware operates within a live process, leaving no trace for traditional security tools to identify.
How to Protect Yourself
To safeguard against Torg Grabber, users should avoid downloading software from unofficial sources, especially game cheat sites or cracked applications. IT teams should monitor for unusual PowerShell commands and unexpected BITS Transfer job creations. Endpoint security tools should be configured to detect direct syscall usage and in-memory loading patterns. Organizations using Chromium-based browsers should ensure App-Bound Encryption is properly set up and treat any unexpected browser process suspensions as potential indicators of compromise. Staying vigilant and proactive is key to thwarting this evolving threat.
Cyber Security News