GaboonGrabber

Malware

⚠️ Overview

GaboonGrabber is a Python-based information stealer malware first identified by the cybersecurity firm Unit 42 in March 2023. It is categorized as a credential and data stealer, operated by a low-sophistication threat actor colloquially tracked as "Gaboon" that primarily targets cryptocurrency wallets, browser-stored credentials, and system information for monetization via illicit resale on underground forums.

🔧 Technical Capabilities

GaboonGrabber propagates through phishing emails containing malicious Office documents or ISO files that drop the initial Python payload. The malware employs a multi-stage loading process: the first-stage downloader retrieves the core stealer from a remote C2 server using HTTPS GET requests with obfuscated URLs. Persistence is achieved via a scheduled task named "MicrosoftEdgeUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include AMSI bypass by patching the amsi.dll scan buffer, anti-VM checks via WMI queries for sandbox artifacts (e.g., product name containing "VirtualBox"), and string encryption using base64 and XOR with a hardcoded key. The C2 infrastructure relies on Discord webhooks for exfiltration, where stolen data is compressed (gzip) and uploaded to a channel controlled by the attacker.

📜 History & Notable Incidents

First observed in the wild in February 2023, GaboonGrabber was used in a targeted campaign against European cryptocurrency exchanges in April 2023, compromising over 200 user wallets according to a report by Proofpoint. No specific CVEs are associated with the malware itself, but it exploits publicly available tools like python-netfilter and cryptography libraries. Law enforcement has not taken formal action against the Gaboon group as of August 2024.

🔍 Detection Indicators

Known file hashes include SHA256: 4A8B2C1D... (truncated for brevity; full list in Unit 42 report). Behavioral signatures include creation of the mutex GlobalGaboonMutex by the payload, and outbound HTTP requests to Discord's discordapp.com with the User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36". Registry artifacts include a new value under HKCU...Run named "EdgeUpdate" pointing to %Temp%gaboon.exe.

☠️ Risk & Impact

GaboonGrabber causes data exfiltration of cryptocurrency wallet seeds, saved passwords, and screenshots, leading to financial losses typically ranging from $5,000 to $50,000 per incident based on blockchain analysis by Chainalysis. Affected sectors include retail cryptocurrency investors and small-to-medium exchanges; no critical infrastructure or healthcare victims have been reported.

🛡️ Mitigation

Recommended defensive measures include blocking discordapp.com webhook domains on corporate proxies, enabling AMSI (Windows Antimalware Scan Interface) and using Sysmon to monitor for process injection (Event ID 8) and scheduled task creation (Event ID 4698). Detection rules based on MITRE ATT&CK techniques T1055 (Process Injection) and T1113 (Screen Capture) should be deployed in SIEM solutions.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.