New ransomware strain discovered that specializes in stealing login information from Chrome browser

A new strain of ransomware called Qilin has been discovered using a relatively sophisticated, highly customizable tactic to steal account login information stored in the Google Chrome browser.

The Sophos X-Ops global security research team observed credential harvesting techniques during its Qilin incident response, indicating an alarming shift in the way this dangerous ransomware strain operates.

Overview of the attack process

The attack analyzed by Sophos researchers began with the Qilin malware successfully accessing the target network using compromised credentials on a VPN gateway without multi-factor authentication (MFA).

This was followed by an 18-day period of malware “hibernation,” suggesting that the hackers had purchased access to the network through an initial access broker (IAB). Qilin likely spent time mapping the network, identifying key assets, and conducting reconnaissance.

After the first 18 days, the malware moves laterally to domain controllers and modifies Group Policy Objects (GPOs) to execute a PowerShell script ('IPScanner.ps1') on all machines logged into the domain network.

This script is executed by a batch script ('logon.bat'), and is also included in the GPO. It is designed to collect login information stored in Google Chrome.

The batch script is configured to run (and trigger a PowerShell script) every time a user logs in to their machine. In parallel, the stolen credentials are saved on the 'SYSVOL' partition under the name 'LD' or 'temp.log'.

New ransomware strain discovered that specializes in stealing login information from Chrome browser

After sending the files to Qilin’s command and control (C2) server, local copies and associated event logs were deleted to conceal the malicious activity. Finally, Qilin deployed the ransomware payload and encrypted data on the compromised machines.

Another GPO and a separate command file ('run.bat') are also used to download and execute the ransomware on all machines in the domain.

New ransomware strain discovered that specializes in stealing login information from Chrome browser

Complexity in defense

Qilin's approach to Chrome credentials sets a troubling precedent that could make protecting against ransomware attacks more difficult.

Because the GPO is applied to all machines in the domain, every device where the user is logged on is subject to the credential collection process.

This means that the script is capable of stealing credentials from all machines across the system, as long as those machines are connected to the domain and have a user logged in during the time the script is running.

Such widespread credential theft can allow hackers to launch follow-up attacks, resulting in a security incident that spans multiple platforms and services, making response efforts much more cumbersome. It also creates a persistent threat that lingers long after the ransomware incident is resolved.

Organizations can mitigate risk by implementing strict policies that prohibit storing secrets in web browsers. Additionally, implementing multi-factor authentication is key to protecting accounts from being taken over, even in the event of a compromised credential.

Finally, implementing principles of least privilege and network segmentation can significantly hinder a threat actor's ability to spread across a compromised network.

Sign up and earn $1000 a day ⋙

Leave a Comment

Latest AFK God Realm Code and instructions for redeeming the code

Latest AFK God Realm Code and instructions for redeeming the code

AFK God Realm gives players Diamonds, 4-Star Orange Chests, Luxurious Material Gifts, 4-Star Fragments, Gold...

Simple tips to make Apple Calendar more useful

Simple tips to make Apple Calendar more useful

iOS 18 added a feature that makes the month view much more useful — you can now zoom out by pinching the screen, allowing you to see nearly two months right on the home screen.

My deepest and most sincere thanks to my father.

My deepest and most sincere thanks to my father.

Below are the most profound and meaningful words of thanks to father, please refer to them to express your love and care for your father, your beloved father, who has always accompanied and silently sacrificed for his children.

What is an integer? What is a positive integer? What is a negative integer?

What is an integer? What is a positive integer? What is a negative integer?

What is an integer? What is a positive integer? This article will give you the answer.

Instructions on how to draw a diagram in Word

Instructions on how to draw a diagram in Word

Using drawing models in Word content will help readers have a better overview and understanding of the content, as well as increase the liveliness of the content of the article.

How to use Google Gemini Memory

How to use Google Gemini Memory

Gemini can remember things about your life, hobbies, work details, concerns,... thanks to the new Gemini Memory feature.

6 key differences between the Galaxy Z Fold 6 and Z Fold 5

6 key differences between the Galaxy Z Fold 6 and Z Fold 5

The Galaxy Z Fold 6 may not seem like a huge upgrade over the Z Fold 5, but Samsung has improved the hardware and added some nifty features to make for a better experience.

Cerebras makes the worlds largest AI chip with 2.6 trillion transistors and nearly 1 million cores

Cerebras makes the worlds largest AI chip with 2.6 trillion transistors and nearly 1 million cores

Cerebras Systems has unveiled the largest AI chip based on the 7nm process, called Wafer Scale Engine 2.

Tech company teaches computers to... taste wine

Tech company teaches computers to... taste wine

A California tech startup is teaching computers how to taste wine. The company is using the technology to help winemakers improve their products and attract new customers.

Google develops AI algorithm that can diagnose skin diseases and tuberculosis

Google develops AI algorithm that can diagnose skin diseases and tuberculosis

Google has been increasingly showing interest in the field of artificial intelligence applications in medicine.

How to set public Telegram account profile picture

How to set public Telegram account profile picture

If you don't like the avatar with your name's abbreviation, you can set a public Telegram profile picture, hide your Telegram avatar from someone but they can still see your public Telegram profile picture.

7 Useful Changes Microsoft Should Make to File Explorer

7 Useful Changes Microsoft Should Make to File Explorer

File Explorer is still an important part of Windows, and with a few smart updates, Microsoft could improve things even more for users.

The latest Thieu Hiep Xin Dung Buoc game code and how to redeem code for rewards

The latest Thieu Hiep Xin Dung Buoc game code and how to redeem code for rewards

Thieu Hiep Xin Dung Buoc will also help you by giving giftcodes and you can use this code to redeem rewards.

Details of DTCL season 14 champions and skills, gameplay

Details of DTCL season 14 champions and skills, gameplay

Leaving aside all the season 13 champions, we will come to the season 14 champions of Truth Arena: Technology City.

6 Ways to Fix Media Creation Tool Not Working

6 Ways to Fix Media Creation Tool Not Working

The Media Creation Tool allows you to reinstall Windows using a USB or DVD.