Fake Certificate Loader Conceals BlankGrabber Malware Chain

BlankGrabber’s operators are experimenting with a stealthy loader chain that abuses Windows certificate tooling to hide a Rust‑based stager behind what appears to be legitimate cryptographic data.

This approach allows the stealer to blend into enterprise environments while deploying multiple payloads for remote access, data theft, and long‑term persistence.

It installs it using certutil.exe, masquerading as certificate import activity while actually writing a compiled Rust executable.

Static inspection shows that the “certificate” data is not X.509 at all but an opaque binary that certutil processes happily, helping it bypass superficial content checks.

The Rust stager then runs and is responsible for decrypting and launching the downstream payload, adding an extra layer of separation between the initial script and the final stealer components.

The Splunk Threat Research Team (STRT) analyzed a BlankGrabber loader hosted on Gofile that arrives as a batch script. On execution, the script decodes an embedded blob.

To frustrate sandboxes and automated pipelines, the stager performs environmental checks before decrypting anything.

It inspects system drivers tied to virtualization, and compares the current username and computer name against a hardcoded list such as “Triage,” “Sandbox,” “Malware,” “User,” “Admin Test,” “Virus,” and “Zenbox,” avoiding known analysis environments.

Only when these checks pass does it decrypt the next stage and drop a self‑extracting RAR (SFX) archive into the %TEMP% directory, adopting one of several benign‑looking filenames (for example, OneDriveUpdateHelper.exe, RuntimeBroker.exe, svchost_update.exe, GoogleUpdateSetup.exe, MicrosoftEdgeUpdate.exe, SteamService.exe, or NvidiaContainer.exe) to blend with common Windows and gaming processes.

BlankGrabber Malware Chain

The SFX archive contains multiple payloads, notably an XWorm remote access client (host.exe) and a PyInstaller‑packaged BlankGrabber stealer (Knock.exe), allowing operators to combine full remote control with credential and data theft on the same host.

Inside the PyInstaller build, STRT identified a Python bytecode module that reads a high‑entropy file named “blank.aes,” which functions as an encrypted container for the core malicious logic.

While the code initially appears to use AES‑GCM with hardcoded key and IV values, decryption attempts using standard libraries failed, leading researchers to discover that BlankGrabber employs a customized AES‑CTR routine with non‑standard IV handling.

By re‑implementing this routine, STRT decrypted a ZIP archive containing the next stage, which embedded another bytecode file called “stub-o.pyc.”

Decompiling this stub revealed a heavily obfuscated Python loader that decompresses a zlib byte array and then applies multiple encoding layers, including Base64, ROT13, and string reversal, to reconstruct the final BlankGrabber payload.

This multi‑stage obfuscation pipeline PyInstaller wrapping, encrypted blob, customized AES, zlib compression, and chained encodings aims to defeat static signatures and force defenders into full behavioral or memory‑forensic analysis.

Once fully unpacked, BlankGrabber exposes a broad capability set aligned with multiple MITRE ATT&CK techniques.

For collection and profiling, it executes utilities like systeminfo and getmac, queries WMI classes for hardware and antivirus details, pulls webcam snapshots, and parses Chromium and Firefox databases to extract passwords, cookies, history, autofill data, and cryptocurrency wallet artifacts.

It can also dump clipboard content, capture screenshots via inline .NET code invoked through PowerShell, enumerate Wi‑Fi profiles and recover cleartext WLAN keys, and harvest files and credentials tied to platforms such as Telegram, Discord, Steam, Epic Games, and Roblox.

Capability set and defensive telemetry

For defense evasion, the malware modifies the Windows hosts file to redirect a hardcoded list of security domains to 0.0.0.0, disables Windows Defender features via PowerShell (including real‑time protection and signatures), and adds its working directory to the Defender exclusion list.

It also attempts a registry‑based UAC bypass under the “ms-settings” path, leverages the Startup folder for persistence, deletes its own executable to reduce artifacts, and uses a bundled rar.exe to compress stolen data into a password‑protected archive (“Blank123”) prior to exfiltration.

C2 communications rely on an encoded Telegram bot configuration as well as uploads to public web services and file‑sharing platforms, while the IP‑lookup service ip-api[.]com is used to classify victims and distinguish cloud instances from consumer hosts.

To operationalize these behaviors, STRT provides multiple Splunk detections, including analytics for product key registry queries, DNS lookups to api.telegram.org, outbound queries to IP check services such as ip-api[.]com.

Execution of WinRAR/rar.exe outside standard installation paths, suspicious hosts file access, WMI reconnaissance patterns, and DNS activity targeting abused web‑service domains like gofile.io and cdn.discordapp.com.

Together, these detections help defenders spot the fake‑certificate loader chain, the staging behavior, and the downstream exfiltration channels even when the underlying Python and Rust code remains heavily obfuscated.

Given this tradecraft, organizations should prioritize telemetry around certutil use, abnormal SFX extraction in %TEMP%, Defender configuration changes via PowerShell, and DNS traffic to Telegram and IP‑check APIs to catch BlankGrabber and similar stealer families early in their infection lifecycle.

IOCs

SHA256	description
268d12a71b7680e97a4223183a98b565cc73bbe2ab99dfe2140960cc6be0fc87	BlankGrabber
ac36b970704881c7656e8fdd7e8c532e22896b97a47acef5ca624d7701bf991	Batch loader

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

The post Fake Certificate Loader Conceals BlankGrabber Malware Chain appeared first on Cyber Security News.