Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
International security research team Sophos X-Ops observed credential harvesting techniques during Qilin incident response. This shows an alarming change in the operating trend of this dangerous ransomware strain.
Overview of the attack process
The attack analyzed by Sophos researchers begins with Qilin malware successfully accessing the target network using compromised credentials on a VPN gateway without multi-factor authentication (MFA).
This will be followed by a series of 18 consecutive days of 'hibernation' of the malware, indicating the possibility that hackers have bought their way into the network through an initial access broker (IAB). It's possible that Qilin spent time mapping the network, identifying key assets, and conducting reconnaissance.
After the first 18 days, the malware will later migrate to the domain controller and modify Group Policy Objects (GPOs) to execute a PowerShell script ('IPScanner.ps1') on all machines logged on to the network. domain.
This script is executed by a batch script ('logon.bat'), and is also included in the GPO. It is designed to collect login information stored in Google Chrome.
The batch script is configured to run (and trigger a PowerShell script) every time a user logs in to their machine. In parallel, the stolen login information will be saved on the 'SYSVOL' partition under the name 'LD' or 'temp.log'.
After sending the files to Qilin's command and control server (C2 server), local copies and related event logs were deleted to hide the malicious activity. Finally, Qilin deploys ransomware payloads and encrypted data on compromised machines.
A different GPO and a separate script file ('run.bat') are also used to download and execute the ransomware on all machines in the domain.
Complexity in defense
Qilin's approach to Chrome credentials sets a worrying precedent that could make protecting against ransomware attacks more difficult.
Because the GPO is applied to all machines in the domain, every device where a user is logged in is subject to the credential collection process.
This means that the script has the ability to steal credentials from all machines across the system, as long as those machines are joined to the domain and have a user logged in while the script is active. dynamic.
Such widespread credential theft could allow hackers to launch follow-up attacks, leading to security incidents spread across multiple platforms and services, making response efforts cumbersome more. At the same time, this also creates a persistent threat that lasts long after the ransomware incident is resolved.
Organizations can minimize risk by adopting strict policies to prohibit the storage of secrets in web browsers. Additionally, implementing multi-factor authentication is key to protecting accounts from takeover, even in the event that credentials are compromised.
Finally, implementing the principles of least privilege and network segmentation can significantly hinder a threat actor's ability to spread across a compromised network.
You should read it
- 7 kinds of ransomware you didn't expect
- List of the 3 most dangerous and scary Ransomware viruses
- Ransomware can encrypt cloud data
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
- [Infographic] 7 effective ways to protect businesses from Ransomware
- How to decode ransomware InsaneCrypt (Everbe 1.0)
- Why is Ransomware the perfect hack?
- Learn about Ransomware: 6 ransomware on computers
- Detecting two unusual versions of ransomware, shows that the world of ransomware has become diversified
- What is Fargo Ransomware? How to avoid?
- Warning: Quantum Ransomware is being rapidly deployed in lightning attacks
Maybe you are interested
Microsoft 365 Android PDF Viewer shows ads, even with subscription
This PowerShell script can bypass Windows 11 system requirements, Microsoft Account
How to execute Shell script in Linux
This is why people cancel their X Premium subscription!
Learn about Shockwave Unlimited: Subscription that replaces Game Pass and PS Plus
3 AI-powered video transcript creation tools to save hours of viewing