Qilin, the ransomware group believed to be behind the recent Synnovis attack, has been observed stealing credentials stored in Google Chrome after gaining access to a target’s network.
Researchers at Sophos X-Ops, who detected the activity, said this is an unusual tactic for ransomware groups, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.
Laying the Foundations for Credential Harvesting
In the case Sophos observed, Qilin did not only conduct an extortion attack but also deployed a credentials-harvesting scheme.
The group targeted Google Chrome browsers, which currently holds over 65% of the browser market.
Once the group reaches a target domain controller, it edits the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items.
“The first, a PowerShell script named IPScanner.ps1, [is] written to a temporary directory within the System Volume (SYSVOL) share [the shared New Technology File System (NTFS) directory located on each domain controller inside an Active Directory domain] on the specific domain controller involved. It contains a 19-line script that attempted to harvest credential data stored within the Chrome browser,” Sophos explained.
The second item, a batch script named logon.bat, contained the commands to execute the first script.
This combination resulted in harvesting credentials saved in Chrome browsers on machines connected to the network.
Collecting Browser Credentials on the Endpoints
Whenever someone logs in on an infected an endpoint, the logon.bat launches the IPScanner.ps1 script, creating two files: a SQLite database file named LD and a text file named temp.log.
These files are written back to a newly created directory on the domain’s SYSVOL share and named after the device’s hostname on which they were executed.
All the devices’ credentials were thus dropped in the LD database.
Once the files containing the harvested credentials are stolen and exfiltrated, the attacker deletes all the files and clears the event logs for both the domain controller and the infected machines, then encrypts files and drops the ransom note.
Sophos detected the scheme because Qilin – “In a display of confidence that they would not be caught or lose their access to the network” – left the GPO active on the network for over three days.
“A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” warned Sophos.
“If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime.”
Mitigation Recommendations
To mitigate this type of browser credential-harvesting attack, Sophos recommended the following measures:
- Do not use a browser-based password manager
- Rely on password manager applications that employ industry best practices for software development
- Implement multifactor authentication (MFA)