Torg Grabber: A New Infostealer Targeting Cryptocurrency Wallets

Torg Grabber has emerged as a potent infostealer malware, targeting a significant number of cryptocurrency wallet extensions across various browser add-ons. With the capability to exfiltrate sensitive information through encrypted channels, it has quickly become a significant threat in the cybersecurity landscape.

Attack Overview

Research conducted by Gen Digital reveals that Torg Grabber is currently in active deployment, focusing on 728 cryptocurrency wallet extensions embedded within 850 browser add-ons. This malware is particularly dangerous for self-custody users relying on browser-based wallets, as it specializes in extracting seed phrases, private keys, and session tokens before detection by most endpoint protection tools.

Key Takeaways:

  • Threat Scope: Torg Grabber scans 850 browser extensions, with 728 specifically targeting cryptocurrency wallets, affecting 25 Chromium and 8 Firefox variants.

  • Attack Method: The malware drops as a legitimate-looking Chrome update (GAPI_Update.exe) and deploys its payload through a deceptive 420-second Windows Security Update progress interface.

  • Risk Profile: Users of browser-extension wallets such as MetaMask and Phantom are at significant risk since the malware can directly steal credentials. Users of hardware wallets face indirect risks if they digitally store their seed phrases.

The Mechanism Behind Torg Grabber

The attack mechanism commences with a dropper disguised as GAPI_Update.exe, a 60 MB InnoSetup package. The dropper operates from Dropbox infrastructure and extracts three seemingly benign DLLs into the directory %LOCALAPPDATA%\Connector\, establishing a convincing digital footprint.

As part of the infection process, Torg Grabber runs a deceptive Windows Security Update progress bar for precisely 420 seconds. This pause serves to create a believable installation process while the malware payload is executed. The final executable is randomly named (e.g., v4jkqh.exe, hkjpy08.exe, ln3dkgz.exe) and typically installed in the C:\Windows\ directory.

Post-deployment, Torg Grabber targets a wide array of platforms in addition to crypto wallets, including 25 Chromium and 8 Firefox variants, Discord, Steam, email clients, and password managers. The data collected is either archived in-memory or streamed in real-time, with exfiltration facilitated through Cloudflare infrastructure utilizing advanced encryption techniques.

Twitter Update on Torg Grabber

Torg Grabber’s codebase features over 40 tags associated with operators, connecting it to the Russian cybercrime ecosystem. This malware operates as a Malware-as-a-Service (MaaS) model, allowing for extensive customization in its deployment configurations. As noted by Gen Digital researchers, it has transitioned from basic Telegram coordination to employing a robust REST API structure.

Implications of Targeting 728 Wallets

The figure of 728 cryptocurrency wallets targeted by Torg Grabber reflects a calculated approach to infecting every major browser-based wallet with a significant user base, including MetaMask, which alone boasts over 30 million monthly active users. The malware’s design enables it to harvest credentials from any infected device, eliminating the need to identify specific victims.

Analyzing the Risks

The primary risk exists for self-custody users who store seed phrases in digital formats such as browser storage, text files, or password managers. A single infection could lead to a total wallet compromise. Conversely, users securing their assets on exchanges are not directly exposed to this attack vector; Torg Grabber targets local credential stores rather than engaging with exchange APIs on a large scale. However, active session token theft could inadvertently risk connected exchange accounts.

As the operator base for Torg Grabber expands, the range of targeted wallets is likely to grow. This malware represents a structured, systematic threat, echoing the tactics of previously successful infostealers like Vidar and RedLine.

Conclusion

With the rise of Torg Grabber, cryptocurrency users, particularly those utilizing browser-based wallets, must remain vigilant. The ability of this malware to operate undetected and the sophistication of its deployment make it essential for users to adopt robust security measures. Keeping software updated, utilizing hardware wallets when possible, and maintaining best practices in digital security can help mitigate the risks posed by such emerging threats.

Read more about the ongoing threats in the cryptocurrency space and strengthen your defenses.