Sophos researchers investigated a Qilin ransomware attack where operators stole credentials stored in Google Chrome browsers of a limited number of compromised endpoints.
The experts pointed out that the credential harvesting activity is usually not associated with ransomware infections.
The Qilin ransomware group has been active since at least 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid. In July 2024, Sophos’ Incident Response team observed Qilin’s activity on a domain controller within an organization’s Active Directory domain, with other domain controllers also infected but impacted differently.
The attackers breached the organization via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The threat actors conducted post-exploitation activities eighteen days after initial access.
“Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items. The first, a PowerShell script named IPScanner.ps1, was written to a temporary directory within the SYSVOL (SYStem VOLume) share (the shared NTFS directory located on each domain controller inside an Active Directory domain) on the specific domain controller involved. It contained a 19-line script that attempted to harvest credential data stored within the Chrome browser.” reads the report published by Sophos. “The second item, a batch script named logon.bat, contained the commands to execute the first script. This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network. Since these two scripts were in a logon GPO, they would execute on each client machine as it logged in.”
The Qilin operators leverage a Group Policy Object (GPO) to execute a script (IPScanner.ps1
) each time a user logged into an endpoint. This script created two files, an SQLite database (LD
) and a text log (temp.log
), which were stored in the SYSVOL share of the domain and named after the infected device’s hostname.
The attackers kept this GPO active for over three days, silently harvesting credentials each time users logged in. After exfiltrating the stolen credentials, the attackers deleted the files and event logs to cover their tracks before deploying the ransomware. Finally, attackers used another GPO to schedule the execution of the ransomware, leaving ransom notes in every directory on the infected machines.
Victims of this variant of Qilin ransomware attack must reset all Active Directory passwords and warn users to change passwords for the sites saved in their Chrome browsers.
“Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques. The Qilin ransomware group may have decided that, by merely targeting the network assets of their target organizations, they were missing out.” concludes the report. “If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)