{
	"id": "3cdb4b4f-a2ac-41c3-bd21-bd2decc69cb5",
	"created_at": "2026-04-06T00:10:31.804334Z",
	"updated_at": "2026-04-10T13:12:45.206771Z",
	"deleted_at": null,
	"sha1_hash": "b9c0ae0729e3c60ae81b48604499f84a6a8ffbe3",
	"title": "EvilGrab Malware Family Used In Targeted Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57130,
	"plain_text": "EvilGrab Malware Family Used In Targeted Attacks\r\nBy Trend Micro ( words)\r\nPublished: 2013-09-19 · Archived: 2026-04-05 23:13:14 UTC\r\nRecently, we spotted a new malware family that was being used in targeted attacks - the EvilGrab malware family.\r\nIt is called EvilGrab due to its behavior of grabbing audio, video, and screenshots from affected machines. We\r\ndetect EvilGrab under the following malware families:\r\nBKDR_HGDER\r\nBKDR_EVILOGE\r\nBKDR_NVICM\r\nLooking into the feedback provided by the Smart Protection Network, EvilGrab is most prevalent in the Asia-Pacific region, with governments being the dominant sector targeted. These are consistent with known trends in\r\ntargeted attacks. The full report on EvilGrab may be found at the Threat Intelligence Resource on Targeted\r\nAttacks together with other resources discussing targeted attacks.\r\nAttack Vectors\r\nThe most common arrival vector for EvilGrab malware is spear-phishing messages with malicious Microsoft\r\nOffice attachments. In particular, malicious Word files and Excel spreadsheets that contain code that targets CVE-2012-0158 are a favored way to spread this new threat.\r\nInformation Theft\r\nEvilGrab has three primary components: one .EXE file and two .DLL files. The .EXE file acts as the installer for\r\nall of the EvilGrab components. One of the .DLL files serves as a loader for the other .DLL file, which is the main\r\nbackdoor component. Some variants of EvilGrab delete the .EXE file after installation to cover its tracks more\r\neffectively.\r\nEvilGrab attempts to steal saved login credentials from both Internet Explorer and Outlook. The credentials of\r\nboth websites and email accounts are targeted for theft by attackers. In addition to this, it can also \"grab\" any\r\nplayed audio and/or video on the system using standard Windows APIs. As part of its backdoor functionality, it\r\ncan also take screenshots and log keystrokes. All of these are uploaded to a remote server to be accessed by the\r\nattacker.\r\nTargeted Applications\r\nEvilGrab has some unique behaviors if it detects certain installed applications. First of all, it is explicitly designed\r\nto steal information from Tencent QQ, a Chinese instant messaging application. It steals and uploads all the\r\nmemory used by QQ. This may be able to reveal the contents of conversations or the members of the user's\r\ncontacts list. EvilGrab will attempt to inject itself into the processes of certain security products. In the absence of\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/\r\nPage 1 of 2\n\nthese security products, it will choose to inject itself into standard Windows system processes. ESET, Kaspersky,\r\nand McAfee have all been specifically targeted by EvilGrab for process injection.\r\nBackdoor Activities\r\nEvilGrab possesses backdoor capabilities that allows an attacker to carry out a wide variety of commands on the\r\naffected system. This grants them complete control over a system affected by EvilGrab. As part of its command-and-control traffic, EvilGrab contains two separate identifiers, which may serve as campaign codes and/or\r\ntrackers. One of the identifiers has been seen with the following values:\r\n006\r\n007\r\n0401\r\n072002\r\n3k-Ja-0606\r\n3k-jp01\r\n4k-lyt25\r\n88j\r\ne-0924\r\nLJ0626\r\nRB0318\r\nThe other field has been seen with two values:\r\nV2010-v16\r\nV2010-v24\r\nWe have observed that the main backdoor component of those variants having the V2010-v24 identifier have a\r\nproper MZ/PE header. While most of those variants having the V2010-v16 identifier have some parts of their\r\nMZ/PE header overwritten with “JPEG” strings.\r\nUpdate as of September 26, 2013\r\nThe MD5 hashes of the files involved in this attack are:\r\n2E991260E42266DB9BCCFA40DC90AE16\r\n7ED71CF0B98E60CC5D4296220F47C5A2\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/"
	],
	"report_names": [
		"evilgrab-malware-family-used-in-targeted-attacks-in-asia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434231,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9c0ae0729e3c60ae81b48604499f84a6a8ffbe3.pdf",
		"text": "https://archive.orkl.eu/b9c0ae0729e3c60ae81b48604499f84a6a8ffbe3.txt",
		"img": "https://archive.orkl.eu/b9c0ae0729e3c60ae81b48604499f84a6a8ffbe3.jpg"
	}
}