Qilin ransomware now steals credentials from Chrome browsers

Share:

The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser.

The credential-harvesting techniques has been observed by the Sophos X-Ops team during incident response engagements and marks an alarming change on the ransomware scene.

Attack overview

The attack that Sophos researchers analyzed started with Qilin gaining access to a network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).

The breach was followed by 18 days of dormancy, suggesting the possibility of Qilin buying their way into the network from an initial access broker (IAB).

Possibly, Qilin spent time mapping the network, identifying critical assets, and conducting reconnaissance.

After the first 18 days, the attackers moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script (‘IPScanner.ps1’) on all machines logged into the domain network.

The script, executed by a batch script (‘logon.bat’) that was also included in the GPO, was designed to collect credentials stored in Google Chrome.

The batch script was configured to run (and trigger the PS script) every time a user logged into their machine, while stolen credentials were saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’

Contents of the LD dump
Contents of the LD dump
Source: Sophos

After sending the files to Qilin’s command and control (C2) server, the local copies and related event logs were wiped, to conceal the malicious activity. Eventually, Qilin deployed their ransomware payload and encrypted data on the compromised machines.

Another GPO and a separate batch file (‘run.bat’) were used to download and execute the ransomware across all machines in the domain.

Qilin's ransom note
Qilin’s ransom note
Source: Sophos

Defense complexity

Qilin’s approach to target Chrome credentials creates a worrying precedent that could make protecting against ransomware attacks even more challenging.

Because the GPO applied to all machines in the domain, every device that a user logged into was subject to the credential harvesting process.

This means that the script potentially stole credentials from all machines across the company, as long as those machines were connected to the domain and had users logging into them during the period the script was active.

Such extensive credential theft could enable follow-up attacks, lead to widespread breaches across multiple platforms and services, make response efforts a lot more cumbersome, and introduce a lingering, long-lasting threat after the ransomware incident is resolved.

A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser. – Sophos

Organizations can mitigate this risk by imposing strict policies to forbid the storage of secrets on web browsers.

Additionally, implementing multi-factor authentication is key in protecting accounts against hijacks, even in the case of credential compromises.

Finally, implementing the principles of least privilege and segmenting the network can significantly hamper a threat actor’s ability to spread on the compromised network.

Given that Qilin is an unconstrained and multi-platform threat with links to the Scattered Spider social engineering experts, any tactical change poses a significant risk to organizations.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
4:01 am, Jan 23, 2025
weather icon 3°C
L: 2° | H: 3°
overcast clouds
Humidity: 91 %
Pressure: 1005 mb
Wind: 9 mph SW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 8 km
Sunrise: 7:51 am
Sunset: 4:33 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
2° | 3°°C 1 mm 100% 19 mph 89 % 1005 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
5° | 11°°C 1 mm 100% 24 mph 91 % 1003 mb 0 mm/h
Sat Jan 25 9:00 pm
weather icon
2° | 5°°C 0.25 mm 25% 6 mph 93 % 1011 mb 0.26 mm/h
Sun Jan 26 9:00 pm
weather icon
1° | 7°°C 1 mm 100% 15 mph 95 % 1010 mb 0 mm/h
Mon Jan 27 9:00 pm
weather icon
6° | 9°°C 1 mm 100% 27 mph 89 % 993 mb 0 mm/h
Today 6:00 am
weather icon
3° | 3°°C 0 mm 0% 7 mph 89 % 1005 mb 0 mm/h
Today 9:00 am
weather icon
4° | 4°°C 0 mm 0% 8 mph 87 % 1004 mb 0 mm/h
Today 12:00 pm
weather icon
8° | 8°°C 1 mm 100% 18 mph 83 % 1000 mb 0 mm/h
Today 3:00 pm
weather icon
7° | 7°°C 1 mm 100% 19 mph 71 % 999 mb 0 mm/h
Today 6:00 pm
weather icon
6° | 6°°C 0.8 mm 80% 15 mph 72 % 1003 mb 0 mm/h
Today 9:00 pm
weather icon
5° | 5°°C 0 mm 0% 10 mph 77 % 1004 mb 0 mm/h
Tomorrow 12:00 am
weather icon
6° | 6°°C 0 mm 0% 12 mph 79 % 1002 mb 0 mm/h
Tomorrow 3:00 am
weather icon
9° | 9°°C 1 mm 100% 22 mph 89 % 996 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€98,346.52
-3.13%
Ethereum(ETH)
€3,097.42
-3.26%
XRP(XRP)
€3.03
-0.90%
Tether(USDT)
€0.96
-0.07%
Solana(SOL)
€239.00
-2.14%
Dogecoin(DOGE)
€0.338242
-5.43%
USDC(USDC)
€0.96
-0.01%
Shiba Inu(SHIB)
€0.000019
-3.60%
Pepe(PEPE)
€0.000014
-7.35%
Peanut the Squirrel(PNUT)
€0.341212
-5.84%
Scroll to Top