Ransomware attacks have become increasingly sophisticated in recent years, with cybercriminals constantly evolving their tactics to maximize chaos and extortion. The recent Synnovis attack, believed to be the work of the Qilin ransomware group, has brought a new level of concern to the cybersecurity community.

Researchers at Sophos X-Ops have uncovered a disturbing trend in Qilin’s modus operandi – stealing credentials stored in Google Chrome after infiltrating a target’s network. This unconventional tactic not only adds an extra layer of complexity to ransomware situations but also poses a significant threat to data security.

Laying the Foundations for Credential Harvesting

In a recent incident observed by Sophos, Qilin went beyond the standard extortion tactics associated with ransomware attacks and implemented a sophisticated credentials-harvesting scheme.

The group targeted Google Chrome browsers, the most widely used browser worldwide, holding a dominant market share of over 65%.

Upon gaining access to a target domain controller, Qilin modified the default domain policy to deploy a logon-based Group Policy Object (GPO) containing two critical components.

The first component was a PowerShell script named IPScanner.ps1, designed to extract credential data stored within Chrome browsers. The script was placed in a temporary directory on the System Volume (SYSVOL) share, a pivotal directory structure within Active Directory domains.

The second component, a batch script named logon.bat, facilitated the execution of the PowerShell script, resulting in the extraction of credentials from Chrome browsers on connected machines.

Collecting Browser Credentials on the Endpoints

When a user logs in on an infected endpoint, the logon.bat script triggers the IPScanner.ps1 script, creating a SQLite database file (LD) and a text file (temp.log).

These files are stored in a newly created directory on the domain’s SYSVOL share, named after the hostname of the infected device. The extracted credentials are compiled in the LD database, ready for exfiltration.

After stealing and exfiltrating the files containing the harvested credentials, the attacker wipes all traces of the operation by deleting the files, clearing event logs, encrypting files, and dropping a ransom note.

Sophos was able to detect this scheme as Qilin left the GPO active on the network for an extended period, demonstrating a high level of confidence in their stealth tactics.

Mitigation Recommendations

To safeguard against browser credential-harvesting attacks like the one orchestrated by Qilin, Sophos recommends implementing the following measures:

• Avoid using browser-based password managers
• Utilize password manager applications following industry best practices for software development
• Enforce multifactor authentication (MFA) for added security