The Agenda (Qilin) Ransomware Attack Leads to Google Chrome Credential Theft
The Agenda (Qilin) ransomware group has introduced a concerning new tactic: deploying a custom stealer to harvest account credentials stored in Google Chrome browsers. This development, observed by the Sophos X-Ops team during recent incident response efforts, marks a significant escalation in the ransomware landscape, making these attacks even more challenging to defend against.
Table of Contents
Attack Overview: A Detailed Breakdown
Sophos researchers analyzed a Agenda/Qilin attack that began with the group gaining access to a network via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The breach was followed by an 18-day period of inactivity, which suggests Qilin may have purchased access to the network from an initial access broker (IAB). During this dormancy, it's likely the attackers spent time mapping the network, identifying critical assets, and conducting reconnaissance.
After this reconnaissance period, the attackers moved laterally to a domain controller, where they modified Group Policy Objects (GPOs) to execute a PowerShell script, ‘IPScanner.ps1,’ across all machines logged into the domain network. This script, executed by a batch file, ‘logon.bat,’ was specifically designed to collect credentials stored in Google Chrome.
Chrome Credential Harvesting: A New Layer of Danger
The batch script triggered the PowerShell script every time a user logged into their machine, and the stolen credentials were saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’ These files were then sent to Agenda/Qilin’s command and control (C2) server, after which local copies and related event logs were wiped to cover the attackers' tracks. Subsequently, Agenda (Qilin) deployed their ransomware payload, encrypting data across the compromised machines. A separate GPO and batch file, ‘run.bat,’ were used to download and execute the ransomware across all machines in the domain.
Agenda/Qilin’s approach to targeting Chrome credentials is particularly alarming because the GPO applied to all machines within the domain. This meant that every device a user logged into was subject to the credential-harvesting process. The script potentially stole credentials from all machines across the company, as long as they were connected to the domain and had active user logins during the period the script was operational.
Implications and Mitigation Strategies
The extensive credential theft facilitated by this method could lead to follow-up attacks, widespread breaches across multiple platforms and services, and significantly complicate response efforts. Moreover, it introduces a persistent threat that may linger even after the initial ransomware incident is resolved.
To mitigate this risk, organizations should enforce strict policies against storing credentials in web browsers. Implementing multi-factor authentication is also crucial in protecting accounts from hijacking, even in the event of credential compromises. Furthermore, applying the principles of least privilege and segmenting the network can significantly hinder a threat actor’s ability to move laterally within a compromised environment.
Given Qilin's links to the Scattered Spider social engineering group and their multi-platform capabilities, this tactical shift represents a substantial risk to organizations. As ransomware groups like Qilin continue to evolve, staying vigilant and proactive in implementing robust security measures is more critical than ever.