Qilin ransomware now steals credentials from Chrome browsers

Qilin Ransomware Group Adopts New Method: Custom Stealer Targets Chrome Credentials

The Qilin ransomware group has recently introduced a new technique that involves using a specialized stealer to extract account credentials from Google Chrome. This development, uncovered by the Sophos X-Ops team during their incident response work, highlights a concerning evolution in ransomware tactics.

Overview of the Attack

Sophos researchers revealed that the attack began with the Qilin group gaining entry into a network via compromised VPN credentials, which lacked multi-factor authentication (MFA). After breaching the network, there was an 18-day period of inactivity, suggesting Qilin might have obtained their initial access through an initial access broker (IAB). During this time, they likely conducted network mapping, assessed critical assets, and performed reconnaissance.

Following this dormant phase, the attackers executed a lateral move to a domain controller, where they altered Group Policy Objects (GPOs) to deploy a PowerShell script (‘IPScanner.ps1’) across all machines on the domain. This script was triggered by a batch file (‘logon.bat’) included in the GPO and was designed to capture credentials stored in Google Chrome.

The batch file was programmed to run every time a user logged into their machine, initiating the PowerShell script to collect the credentials. Stolen data was saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’ After transferring these files to Qilin’s command and control (C2) server, the attackers erased local copies and event logs to obscure their activities. Eventually, Qilin deployed ransomware that encrypted data on the compromised systems.

Another GPO and a different batch file (‘run.bat’) were used to distribute and activate the ransomware across the network.

Challenges in Defense

Qilin’s method of targeting Chrome credentials sets a troubling precedent, making ransomware defenses more complex. Since the GPO applied to all machines within the domain, every device a user accessed was vulnerable to the credential-harvesting process. This broad approach means that potentially every machine connected to the domain could have had its credentials stolen, increasing the risk of further attacks and complicating response efforts.

Organizations faced with such a breach must not only update all Active Directory passwords but also consider having users change passwords for numerous third-party sites where their credentials might be saved in Chrome.

Mitigation Strategies

To reduce this risk, organizations should enforce policies that prevent the storage of sensitive credentials in web browsers. Implementing multi-factor authentication is essential to protect accounts from unauthorized access, even if credentials are compromised. Additionally, applying the principles of least privilege and network segmentation can significantly limit a threat actor’s ability to move within and spread across a compromised network.

Given Qilin’s versatile and evolving threat capabilities, including their ties to the Scattered Spider social engineering group, any changes in their tactics represent a significant risk to organizations.