Qilin ransomware captured snatching credentials saved in Google Chrome
While investigating a recent Qilin ransomware breach, the security analysts from Sophos X-Ops team detected malicious activities that resulted in large-scale theft of credentials stored in Google Chrome browsers on a segment of the network’s endpoints – a technique for harvesting credentials that could have significant implications beyond the targeted organization. This strategy is uncommon and could exacerbate the chaos already inherent in ransomware incidents.
Who is Qilin?
The Qilin ransomware gang has been active for just over two years. They made headlines back in June 2024 after targeting Synnovis, a government service provider for various healthcare providers and hospitals in the UK. Prior to the events discussed here, Qilin attacks typically involved a “double extortion” scheme – where they steal the victim’s data, encrypt their systems, and then threaten to expose or sell the stolen data if the victim refuses to pay for the decryption key, a tactic detailed in our recent research on pressure tactics employed by ransomware groups.
The incident described in this post was observed by the Sophos Incident Response (IR) team in July 2024. To provide context, this activity was identified on a specific domain controller within the Active Directory domain of the target; other domain controllers in the same Active Directory domain were infected but experienced different impacts from the Qilin ransomware.
Initial Steps
The attacker gained initial entry into the environment using compromised login credentials. Unfortunately, this method of gaining initial access was not new for Qilin (or other ransomware groups for that matter). The investigation revealed that the VPN portal lacked multi-factor authentication (MFA) protection.
Between the initial breach and subsequent lateral movement, the attacker had a dwell time of eighteen days, indicating that an Initial Access Broker (IAB) might have been involved in the initial intrusion. Following this period, there was an increased attacker activity, with evidence of lateral movement to a domain controller using compromised credentials.
Upon reaching the domain controller, the attacker modified the default domain policy to introduce a logon-based Group Policy Object (GPO) that included two components. The first element was a PowerShell script named IPScanner.ps1, saved in a temporary directory within the SYSVOL (SYStem VOLume) share on the domain controller. This script, consisting of 19 lines, attempted to harvest credential data from Chrome browsers.
The second component was a batch script named logon.bat, which contained the commands to execute the PowerShell script. This combination resulted in the extraction of credentials stored in Chrome browsers on devices connected to the network. Since these scripts were part of a logon GPO, they were executed each time a client machine logged in.
Activity on Endpoints
Each time a user logged in on an endpoint, the logon.bat script triggered the IPScanner.ps1 script, generating two files – an SQLite database file named LD and a text file named temp.log. These files were saved in a newly created directory on the SYSVOL share of the domain and named after the hostname of the device(s) where they ran, such as Hemlock as exemplified.
The LD database file had the structure outlined in Figure 2.
Confident that their activities would go undetected, the attacker left this malicious GPO in place within the network for over three days. This gave users ample opportunities to log in and unknowingly trigger the credential-harvesting script on their systems each time. Since this action occurred via a logon GPO, every user would be subjected to this credential harvesting on login.
To hinder the assessment of the breach scope, once the harvested credential files were stolen and transmitted, the attacker deleted all files and cleared the event logs on both the infected machines and the domain controller. Subsequently, they proceeded to encrypt files and distribute the ransom note, as depicted in Figure 3. Copies of the ransom note were left in every directory on the affected device.
The Qilin group utilized a GPO once more to infiltrate the network, setting up a scheduled task to execute a batch file named run.bat, responsible for downloading and running the ransomware.
Consequences
In this attack, the IPScanner.ps1 script specifically targeted Chrome browsers, the most commonly used browser with over 65 percent market share at present. The success of each extraction attempt depended on the type of credentials saved by each user in their browser. Considering recent data indicating that the average user has approximately 87 work-related passwords and twice as many personal passwords, the potential for acquiring passwords from each infected device is substantial.
An effective agreement of this kind would entail not only requiring defenders to reset all Active Directory passwords, but also potentially requesting end users to change their credentials for numerous, possibly countless, third-party platforms where they have stored their login details in Chrome browser. Defenders would have no means to enforce this. From the end-user perspective, despite virtually every internet user receiving at least one notification of a data breach where their information was compromised, in this scenario the situation is reversed – one user facing numerous separate breaches.
It’s worth noting that in this particular breach, other domain controllers within the same Active Directory domain were encrypted, while the domain controller where the specific GPO originated remained unencrypted by the ransomware. The reason for this – whether a mistake, an oversight, or part of attacker testing – is beyond the scope of our investigation (and this post).
Summary
Predictably, ransomware groups are continuously adapting their strategies and diversifying their range of methods. By focusing not only on the network assets of their target organizations, the Qilin ransomware group may have realized they were missing out.
If they, or other threat actors, have started to also harvest endpoint-stored credentials – which could serve as an entry point at a future target, or yield vital information about high-profile targets for exploitation through different means – a new dark chapter may have opened in the ongoing saga of cybercrime.
Acknowledgements
This analysis was contributed to by Anand Ajjan from SophosLabs, as well as Ollie Jones and Alexander Giles from the Incident Response team.
Response and rectification
Both organizations and individuals should rely on password manager applications that adhere to industry best practices for software development and undergo regular evaluations by an external third party. Time and again, browser-based password managers have been shown to be insecure, with this article serving as the most recent verification.
Integrating multifactor authentication could have served as an effective preventive measure in this scenario, as we’ve highlighted elsewhere. While the adoption of MFA is increasing, a 2024 Lastpass study indicates that while companies with over 10,000 employees boast a decent 87% adoption rate, the numbers drastically decline – from 78% for companies with 1,001-1000 employees to a mere 27% for businesses with 25 employees or less. In simple terms, businesses need to enhance their security measures for their own well-being, and in this instance, for the security of other entities as well.
Our Powershell.01 query played a key role in identifying suspicious PowerShell commands executed during the breach. This query is accessible for free on our Github, alongside numerous others.
Sophos identifies Qilin ransomware as Troj/Qilin-B and leverages behavioral detections like Impact_6a & Lateral_8a. The script mentioned above is flagged as Troj/Ransom-HDV.
About Author
