New ransomware strain discovered that specializes in stealing login information from Chrome browser

A new strain of ransomware called Qilin has been discovered using a relatively sophisticated, highly customizable tactic to steal account login information stored in the Google Chrome browser.

The Sophos X-Ops global security research team observed credential harvesting techniques during its Qilin incident response, indicating an alarming shift in the way this dangerous ransomware strain operates.

Overview of the attack process

The attack analyzed by Sophos researchers began with the Qilin malware successfully accessing the target network using compromised credentials on a VPN gateway without multi-factor authentication (MFA).

This was followed by an 18-day period of malware “hibernation,” suggesting that the hackers had purchased access to the network through an initial access broker (IAB). Qilin likely spent time mapping the network, identifying key assets, and conducting reconnaissance.

After the first 18 days, the malware moves laterally to domain controllers and modifies Group Policy Objects (GPOs) to execute a PowerShell script ('IPScanner.ps1') on all machines logged into the domain network.

This script is executed by a batch script ('logon.bat'), and is also included in the GPO. It is designed to collect login information stored in Google Chrome.

The batch script is configured to run (and trigger a PowerShell script) every time a user logs in to their machine. In parallel, the stolen credentials are saved on the 'SYSVOL' partition under the name 'LD' or 'temp.log'.

New ransomware strain discovered that specializes in stealing login information from Chrome browser

After sending the files to Qilin’s command and control (C2) server, local copies and associated event logs were deleted to conceal the malicious activity. Finally, Qilin deployed the ransomware payload and encrypted data on the compromised machines.

Another GPO and a separate command file ('run.bat') are also used to download and execute the ransomware on all machines in the domain.

New ransomware strain discovered that specializes in stealing login information from Chrome browser

Complexity in defense

Qilin's approach to Chrome credentials sets a troubling precedent that could make protecting against ransomware attacks more difficult.

Because the GPO is applied to all machines in the domain, every device where the user is logged on is subject to the credential collection process.

This means that the script is capable of stealing credentials from all machines across the system, as long as those machines are connected to the domain and have a user logged in during the time the script is running.

Such widespread credential theft can allow hackers to launch follow-up attacks, resulting in a security incident that spans multiple platforms and services, making response efforts much more cumbersome. It also creates a persistent threat that lingers long after the ransomware incident is resolved.

Organizations can mitigate risk by implementing strict policies that prohibit storing secrets in web browsers. Additionally, implementing multi-factor authentication is key to protecting accounts from being taken over, even in the event of a compromised credential.

Finally, implementing principles of least privilege and network segmentation can significantly hinder a threat actor's ability to spread across a compromised network.

Sign up and earn $1000 a day ⋙

Leave a Comment

Latest Wuthering Waves Configuration

Latest Wuthering Waves Configuration

Wuthering Waves configuration has been officially announced by the game publisher, in which players must have at least GTX 1060 or higher.

How to calculate tips with Samsung Calculator

How to calculate tips with Samsung Calculator

The calculator app on your Samsung phone has a tip calculator and can be used to split the bill with someone else. That way, you don't have to do it yourself and can avoid the embarrassment of miscalculating the amount in your head.

6 AI Photo Editing Tools Better Than Photoshop

6 AI Photo Editing Tools Better Than Photoshop

There are many AI photo editors that make Photoshop a second choice and AI features are useful tools for editing photos without having to learn complex Photoshop.

Instructions to block websites from accessing the camera on Edge

Instructions to block websites from accessing the camera on Edge

With the option to adjust camera permissions on Microsoft Edge, users can easily change options for websites, thereby ensuring more privacy.

Bilgewater DTCL: Team composition, build

Bilgewater DTCL: Team composition, build

Bilgewater is clearly adding some interesting champions to Teamfight Tactics season 9.5.

External monitors can have a negative impact on laptop batteries.

External monitors can have a negative impact on laptop batteries.

Using a laptop with an external monitor is a great combination for productivity and getting work done. But over time, you may find that your laptop suddenly runs out of battery quickly and the battery life starts to decrease.

8 major disadvantages of foldable screen phones that you didnt expect

8 major disadvantages of foldable screen phones that you didnt expect

There’s no denying that foldable phones are pretty cool. But after using them for a while, there are a few quirks to them. Here are 5 major downsides to foldable phones that you might not expect!

Adobe is bringing AI video creation technology to Premiere Pro

Adobe is bringing AI video creation technology to Premiere Pro

Adobe has brought AI video creation technology to the masses in a new way, although it has yet to create a finished movie using the technology.

Latest Genshin Impact Codes April 2025

Latest Genshin Impact Codes April 2025

Genshin Impact 5.5 Code helps you exchange for Primordial Stones, Magic Minerals, experience and many other rewards.

How to Turn Your iPad into an Extra Mac Display

How to Turn Your iPad into an Extra Mac Display

macOS Catalina and iPadOS include support for a new feature called Sidecar, designed to let you use your iPad as a secondary display for your Mac.

Wallpaper 1280, beautiful Nokia 1280 phone wallpaper

Wallpaper 1280, beautiful Nokia 1280 phone wallpaper

This is a set of Nokia 1280 wallpapers, if you have ever texted to get 1280 wallpapers, brick phone wallpapers, then try looking at these wallpapers.

Hypersonic space plane reaches speed of 11,115 km/h

Hypersonic space plane reaches speed of 11,115 km/h

Venus Aerospace has revealed the first images of its new hypersonic aircraft called the Stargazer, which can reach a top speed of 11,115 km/h, equivalent to Mach 9.

Eating bananas for breakfast helps you reduce bloating

Eating bananas for breakfast helps you reduce bloating

Bloating can happen to anyone. The good news is that breakfast is a great time to add a few ingredients to your meal that can help reduce bloating. That ingredient is bananas.

OpenAI Announces Major Update to AI Image Generation in ChatGPT

OpenAI Announces Major Update to AI Image Generation in ChatGPT

OpenAI has just officially introduced a remarkable upgrade to the AI ​​image generation capability in ChatGPT, an important step forward instead of using a separate image generation model like the previous DALL-E.

Deepseek Releases Free Language Model v3 That Runs Well on Common Hardware Configurations

Deepseek Releases Free Language Model v3 That Runs Well on Common Hardware Configurations

Chinese AI startup DeepSeek has just officially released its latest large language model (LLM), DeepSeek-V3-0324.