Abo
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Ransomware: Qilin steals access data from Google Chrome

While investigating a ransomware incident, Sophos observed a new behavior of Qilin. It steals access data from Chrome.

Save to Pocket listen Print view
Laptop installed in front of servers that are encrypted, an intruder fishing data from Google Chrome in front of it

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

3 min. read
Security
By

During an analysis of a ransomware incident, IT researchers from Sophos have discovered a new behavior. After infecting the network, the Qilin ransomware exfiltrated access data from the Google Chrome web browser on the endpoints in order to gain access to other systems and services.

As the IT security researchers from Sophos write in their analysis, the attackers used VPN access data to gain unauthorized access to the network in the incident investigated in July of this year. A lack of multi-factor authentication was to blame for the initial intrusion, the IT forensics experts explain. Accordingly, 18 days passed between the initial intrusion into the organization and further movement in the network. The intrusion may also have been carried out by an IAB (Initial Access Broker), i.e. a criminal group specializing in breaking into networks and selling access to other malicious actors.

Movement on domain controllers and creation of group policies

With compromised credentials, the attackers managed to access a domain controller (DC) in the Active Directory (AD) after the 18 days. There, they manipulated the default group policy to introduce a log-on-based group policy object. One was a Powershell script called IPScanner.ps1, which was placed in a temporary folder of the SYSVOL share on the DC. The file contained a script with 19 lines that collects credentials from the Chrome web browser.

The second object was a batch file named logon.bat and contained commands to execute the first script. The combination resulted in the collection of credentials from the Chrome web browsers of the AD endpoints. Every machine on the network executed these scripts at logon. The IPScanner.ps1 creates a SQLite database called LD and a text file called temp.log. These files were copied to a newly created SYSVOL share on the DC that reflected the hostname of the device on which the scripts were running.

The group policy remained active for three days, causing the malware to run on many machines – every time a user logged on. After the credentials were stolen and exfiltrated by the malicious actors, they deleted the files and purged the event logs for both the DC and the endpoints. After deleting the evidence, they then encrypted files and left a ransom note. For the ransomware, the criminal Qilin group again used group policies to distribute and execute a file called run.bat.

Read also

Using the password manager in Chrome allowed the criminal masterminds to obtain further access data to services. The use of a password manager such as Bitwarden, which can be managed centrally in companies and used without storing data in the cloud, appears to be a recommended measure. The use of passkeys also helps to prevent cyber criminals from capturing usable access data.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Spiele

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten