Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser

International security research team Sophos X-Ops observed credential harvesting techniques during Qilin incident response. This shows an alarming change in the operating trend of this dangerous ransomware strain.

Overview of the attack process

The attack analyzed by Sophos researchers begins with Qilin malware successfully accessing the target network using compromised credentials on a VPN gateway without multi-factor authentication (MFA).

This will be followed by a series of 18 consecutive days of 'hibernation' of the malware, indicating the possibility that hackers have bought their way into the network through an initial access broker (IAB). It's possible that Qilin spent time mapping the network, identifying key assets, and conducting reconnaissance.

After the first 18 days, the malware will later migrate to the domain controller and modify Group Policy Objects (GPOs) to execute a PowerShell script ('IPScanner.ps1') on all machines logged on to the network. domain.

This script is executed by a batch script ('logon.bat'), and is also included in the GPO. It is designed to collect login information stored in Google Chrome.

The batch script is configured to run (and trigger a PowerShell script) every time a user logs in to their machine. In parallel, the stolen login information will be saved on the 'SYSVOL' partition under the name 'LD' or 'temp.log'.

After sending the files to Qilin's command and control server (C2 server), local copies and related event logs were deleted to hide the malicious activity. Finally, Qilin deploys ransomware payloads and encrypted data on compromised machines.

A different GPO and a separate script file ('run.bat') are also used to download and execute the ransomware on all machines in the domain.

Complexity in defense

Qilin's approach to Chrome credentials sets a worrying precedent that could make protecting against ransomware attacks more difficult.

Because the GPO is applied to all machines in the domain, every device where a user is logged in is subject to the credential collection process.

This means that the script has the ability to steal credentials from all machines across the system, as long as those machines are joined to the domain and have a user logged in while the script is active. dynamic.

Such widespread credential theft could allow hackers to launch follow-up attacks, leading to security incidents spread across multiple platforms and services, making response efforts cumbersome more. At the same time, this also creates a persistent threat that lasts long after the ransomware incident is resolved.

Organizations can minimize risk by adopting strict policies to prohibit the storage of secrets in web browsers. Additionally, implementing multi-factor authentication is key to protecting accounts from takeover, even in the event that credentials are compromised.

Finally, implementing the principles of least privilege and network segmentation can significantly hinder a threat actor's ability to spread across a compromised network.

Micah Soto

Update 27 August 2024