Threat Research

AutoIt Credential Flusher

Securonix
Summary:
This article discusses a new technique employed by stealers to coerce victims into entering their credentials in a browser, which are then stolen using traditional malware. The method involves launching the browser in kiosk mode, primarily targeting Google login pages. This tactic has been linked to the Amadey malware and StealC.
#CredentialTheft #KioskMode #StealerMalware
Keypoints:

  • New technique observed in credential theft using browser kiosk mode.
  • Victims are pressured into entering credentials on targeted login pages.
  • Amadey malware is primarily responsible for deploying this technique.
  • StealC malware is used to steal the credentials stored in the browser.
  • Credential flusher script is implemented using AutoIt.
  • Sample hashes of the malware and scripts are provided.
  • Intelligence from Loader Insight Agency highlights the deployment process.
    • MITRE Techniques

  • Credential Dumping (T1003): Steals credentials from the browser’s credential store after they are entered by the victim.
  • Application Layer Protocol (T1071): Uses HTTP to communicate with the command and control server for downloading malware.
  • Obfuscated Files or Information (T1027): The credential flusher is packaged in an AutoIt binary to evade detection.
    • IoC:

  • [file hash] b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de
  • [file hash] 53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2
  • [file hash] 78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078
  • [file hash] 0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608
  • [file hash] 99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
  • [url] http[:]//31.41.244[.]11/steam/random.exe
  • [url] http[:]//31.41.244[.]11/well/random.exe

    • Full Research: https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html

    Tags: BROWSER, CREDENTIAL