The Latest in IT Security

EvilGrab’s Evil, Still Propagating


Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

EvilGrab Builder In The Wild

What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊(请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers ( and which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

However, some of the added registry entries were of special relevance:


These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.


We can see several fields that the attacker can enter in the builder. Some of the fields include:

  • Assign C&C server (either IP or domain name) with port and connection interval.
  • Choose a file icon (installation package icon, folder icon and document icon)
  • Delete itself
  • Keyboard logging
  • Key logging

In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:


Figure 2. Bypassed AV software

Testing With The EvilGrab Builder

At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.


Figure 3. EvilGrab Builder

We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

Figure 4. EvilGrab test sample

In addition to the created binary,  a configuration file dropped for connection details.

Figure 5. EvilGrab configuration file

We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.


Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.


Table 1. Edited Windows registry keys

Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.


Table 2. Import functions


We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.

Leave a reply


MONDAY, MARCH 27, 2023

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments