The Qilin ransomware group has recently adopted a new strategy by deploying a custom stealer to extract account credentials saved in Google Chrome.
Sophos X-Ops team identified these credential-harvesting techniques during incident response engagements, highlighting a concerning shift in the ransomware landscape.
Attack Overview
The attack analyzed by Sophos researchers began with Qilin gaining access to the network through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
Following this breach, there was an 18-day period of inactivity, suggesting that Qilin may have acquired network access from an initial access broker (IAB).
During this downtime, Qilin likely mapped the network, identified key assets, and conducted reconnaissance.
After the initial 18 days, the attackers moved laterally to a domain controller and modified Group Policy Objects (GPOs) to deploy a PowerShell script (‘IPScanner.ps1’) across all machines in the domain network.
This script, triggered by a batch file (‘logon.bat’) included in the GPO, was intended to collect credentials stored in Google Chrome.
The batch script was configured to run (and trigger the PS script) every time a user logged into their machine, while stolen credentials were saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’
Contents of the LD dump
Source: Sophos
After sending the files to Qilin’s command and control (C2) server, the local copies and related event logs were wiped, to conceal the malicious activity. Eventually, Qilin deployed their ransomware payload and encrypted data on the compromised machines.
Another GPO and a separate batch file (‘run.bat’) were used to download and execute the ransomware across all machines in the domain.
Defense complexity
Qilin’s approach to target Chrome credentials creates a worrying precedent that could make protecting against ransomware attacks even more challenging.
Because the GPO applied to all machines in the domain, every device that a user logged into was subject to the credential harvesting process.
This means that the script potentially stole credentials from all machines across the company, as long as those machines were connected to the domain and had users logging into them during the period the script was active.
Such extensive credential theft could enable follow-up attacks, lead to widespread breaches across multiple platforms and services, make response efforts a lot more cumbersome, and introduce a lingering, long-lasting threat after the ransomware incident is resolved.
A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser. – Sophos
Organizations can mitigate this risk by imposing strict policies to forbid the storage of secrets on web browsers.
Additionally, implementing multi-factor authentication is key in protecting accounts against hijacks, even in the case of credential compromises.
Finally, implementing the principles of least privilege and segmenting the network can significantly hamper a threat actor’s ability to spread on the compromised network.