The people behind BlankGrabber are testing a stealthy loader chain that uses Windows certificate tools to hide a Rust-based stager behind what looks like real cryptographic data This article explores blankgrabber testing stealthy. . This method lets the thief fit in with business settings while using multiple payloads for remote access, data theft, and long-term persistence.
The Splunk Threat Research Team (STRT) looked into a BlankGrabber loader that comes as a batch script and is hosted on Gofile. When the script runs, it decodes a blob that is built in. The stager checks the environment before decrypting anything to make it harder for sandboxes and automated pipelines to work. It only decrypts the next stage and puts a self-extracting RAR (SFX) archive into the %TEMP% directory after these checks are passed.
It uses one of several filenames that look harmless.
It can also delete clipboard contents, take screenshots, list Wi-Fi profiles, and get back cleartext WLAN keys. It also tries to get around UAC by using the registry under the "ms-settings" path. An encoded Telegram bot configuration is needed for C2 communications.
The IP-lookup service ip-api[. ]com is used to put victims into groups. These detections work together to help defenders find the fake-certificate loader chain, the staging behavior, and the channels used to steal data. Because of this tradecraft, organizations should focus on telemetry around certutil use, strange SFX extraction in %TEMP, and DNS traffic to Telegram and IP-check APIs to find BlankGrabber and other similar stealer families early in their infection lifecycle.
You can read the whole whitepaper at http://www.stRT.com/blankgrabber-symptoms-and-technique/blankgrabber symptoms and technique-symptons.
