Mercurial Grabber

Category: Malware

Type: Infostealer and credential grabber

Platform: Windows

Variants: cheat fivem.exe, dmod.exe, VinHub.exe, Lct.exe

Damage potential: Mercurial Grabber steals sensitive personal, financial, and gaming information. It compromises user privacy, opens the door for identity theft or fraud, and can enable further exploitation of infected systems.

Overview

Mercurial Grabber emerged in 2021 as an open-source C# malware builder on GitHub. Although it was initially developed for educational purposes, threat actors (TAs) quickly began leveraging and modifying it to target users.

With its growing prevalence in cyberattacks, Mercurial Grabber has been responsible for stealing a wide variety of sensitive data. The malware primarily focuses on browser data, including passwords and cookies, but it also targets widely used platforms like Discord, Roblox, and Minecraft. By stealing tokens and gaming sessions, the malware offers unauthorized attackers seamless access to victim accounts.

When executed, Mercurial Grabber silently operates in the background, collecting sensitive data such as:

• Browser-stored passwords and cookies from platforms like Google Chrome and Opera.
• Discord tokens extracted from local LevelDB files.
• Gaming session data, including Roblox cookies and Minecraft files.
• Device information: operating system, hardware details, IP address, geolocation, and desktop screenshots.

Mercurial Grabber encrypts this information using AES GCM and sends it to a command and control (C2) server managed by the attacker. Additionally, this malware blocks security researchers from analyzing it by using anti-debugging methods.

It also detects controlled environments like sandboxes or virtual machines with anti-virtual machine (anti-VM) techniques. If it detects these environments, the malware stops running. These methods make Mercurial Grabber harder to detect and allow it to operate undetected on infected systems.

Possible symptoms

Although Mercurial Grabber operates stealthily, certain symptoms may indicate infection:

• Sluggish or unresponsive system performance.
• Unexpected system crashes or errors.
• Unusual network activity or bandwidth spikes.
• Unknown or suspicious processes running in Task Manager.
• Redirection or alteration of web traffic.

However, these are very common symptoms that may apply to any malware infection. More specific indicators that point to Mercurial Grabber include:

• Detecting unauthorized activity in accounts like Discord, Roblox, or Minecraft, such as messages sent without consent, altered account settings, or being logged out unexpectedly.
• Finding an image file named "capture.jpg" in temporary or suspicious folders, which indicates that the malware has captured a screenshot of your system.
• Experiencing sudden logouts or session disruptions in Roblox or Minecraft, likely caused by stolen cookies or session hijacking.

Sources of the infection

Mercurial Grabber spreads through various attack vectors, including:

• Phishing emails. Cybercriminals use malicious email attachments or links. Victims are tricked into executing the infected files, granting malware access to their systems.
• Social engineering via malicious ads. Malicious advertisements (malvertising) on legitimate websites may unknowingly host Mercurial Grabber.
• Drive-by downloads. Interacting with links or ads on compromised websites may result in automatic downloading of malware.
• Trojanized software. Mercurial Grabber often hides in pirated software or software downloaded from untrusted sources.
• Exploited vulnerabilities. Attackers can exploit vulnerabilities in unpatched systems, outdated software, or weak security settings to install malware on your device.
• Infected USB drives. When a USB drive infected with Mercurial Grabber is plugged into a target system, the malware automatically runs and infects the device.

Protection

The best way to protect against Mercurial Grabber is to stay informed about infostealers and the tactics attackers use to compromise your data. Follow these tips to protect against Mercurial Grabber:

• Use antivirus and anti-malware software. Install and regularly update reliable antivirus software that includes detection for information-stealing malware.
• Update systems and software regularly. Keep your operating system, browsers, and all applications up to date to patch vulnerabilities.
• Use Threat Protection Pro™. Purchase NordVPN with the advanced Threat Protection Pro™ feature, which blocks malicious sites and scans files for malware as you download them. 
• Avoid suspicious links and attachments. Never click on unfamiliar links or suspicious attachments, especially from unknown senders, because they may contain malware.
• Improve network security. Set up firewalls, intrusion detection systems, and endpoint protection to detect and block Mercurial Grabber’s attempts to establish command and control connections.
• Use multi-factor authentication (MFA). MFA adds an extra layer of security to your accounts, making unauthorized access more difficult.
• Avoid downloading pirated software. Download applications only from official or verified sources. Avoid cracked software versions or torrents.

Removal of Mercurial Grabber

If you suspect Mercurial Grabber has infected your system, immediately disconnect your device from the internet to cut communication with the malware’s C2 servers. Next, restart your computer in safe mode to limit Mercurial Grabber’s ability to operate undetected.

Run a full system scan with reputable antivirus or anti-malware software to detect and remove Mercurial Grabber. Follow the software’s recommended steps to ensure thorough malware removal. Allow the antivirus program to quarantine or delete any detected threats.

Once you have removed Mercurial Grabber from your system, change all your online account passwords to strong, unique ones to protect your data. If the malware persists or you cannot remove it completely, contact a cybersecurity professional for help.