Infostealers Extorting Web Browser Account Credentials Detected by AhnLab EDR – ASEC BLOG

Web browsers are some of the programs most commonly and frequently used by PC users. Users generally use browsers to look up information, send and receive emails, and use web services such as shopping. This is the case for both individual users and employees conducting business in companies.

To use these services, users are generally required to log in to their own accounts. As logging in every time to use each service is inconvenient, most web browsers support auto login. That is, once a user logs in, the account credentials are saved in the configuration data of each application and can be used without going through the login process.

Figure 1. A message for auto-saving credentials

On the other hand, if a threat actor obtains control over the user system or a malware strain is installed in the system, these stored account credentials can easily be stolen. Because users generally use a small number of accounts to sign up for various services, having the account credentials of the few logged in accounts stolen can result in various data being handed over to the threat actor.

1. Infostealers

Infostealer is a type of information-stealing malware with the goal of stealing user credentials such as the user account information and histories that are saved in applications such as web browsers and email clients. Examples of Infostealers include AgentTesla, Lokibot, SnakeKeylogger, and RedLine. These form a large majority out of all malware types from the past.

Of course, threat actors pack and obfuscate the appearance of such known malware types when distributing them to bypass file detection by anti-malware products. Also, these may be injected into normal processes, having the actual malicious behaviors performed by the said processes. However, even if the malware format has changed, or even if it is injected into a normal process and run, the behaviors of malware include known malicious behaviors and can be detected by AhnLab EDR.

AgentTesla is an Infostealer usually distributed via spam mail. It collects information from a variety of applications including most known web browsers, email and FTP clients, and VNC programs. The collected data is then exfiltrated to the C&C server via SMTP, FTP, or Telegram API [1].

AgentTesla targets Chromium-based web browsers (Google Chrome and MS Edge) and Firefox to extort information from. Infostealers usually read data files from the path containing configuration data to find account credentials.

Figure 2. The routine for stealing account credentials from Google Chrome

The following is a case where AgentTesla was detected extorting account credentials saved in a web browser after being injected into MSBuild.exe, a normal process. In this environment, account credentials were saved in Google Chrome and MS Edge web browsers. AhnLab EDR detects the behavior of AgentTesla running within a normal process and extorting account credentials saved in web browsers as a threat (see below), helping an administrator become aware of the behavior in advance.

Figure 3. The detection logs of AgentTesla’s information extortion behavior while running in a normal process – EDR

2. APT Attacks

Stealing user account credentials is an important step out of the stages of attacks that can give the threat actor a great advantage. For example, even if the attack target is an ordinary user, the account credentials can be utilized to obtain more information in the future and can also be used in the initial access stage until the attack is successful. If the victim is a corporate user, the data can be used for lateral movement to take control over the organization’s internal network.

Therefore, the behavior of stealing account credentials is a step that APT threat groups also definitely use. That is, APT threat groups not only use known malware types distributed to unspecified targets but also Infostealers. The key point is that APT threat actors often tend to create unknown malware themselves to use in attacks instead of using the aforementioned malware types. However, even if a malware strain has been newly created, the behavior of extorting information is similar to those of known malware types in most cases.

The following is an Infostealer created by the Andariel group which targets Google Chrome, Firefox, Internet Explorer, Opera, as well as Naver Whale web browsers to extort information from [2]. This malware strain is a command line tool that outputs the extracted account credentials in a command line. It is believed that the threat actor used a backdoor to transmit the results to the C&C server. Because this type was distributed in the past, it currently does not function as intended. Yet the latest version is expected to be supported in new attacks.

Figure 4. The logs of the Andariel group’s Infostealer

AhnLab EDR detects the behavior of suspicious programs extorting account credentials saved in a web browser as a threat (see below), helping an administrator become aware of the behavior in advance.

Figure 5. The detection logs of the Andariel group’s Infostealer extorting information – EDR

3. Conclusion

Threat actors can use various methods to steal user account credentials. The stolen information then can be used for lateral movement to ultimately seize control over an organization’s network. Thus, account credentials play a vital role in the key stages of attacks and threat actors may use known malware strains along with custom-made Infostealers to obtain them.

Web browsers are programs used by default by most users and often offer auto-login features for convenience. If through whatever path a system is infected with an Infostealer, the stored account credentials can be stolen. Because the process of stealing account credentials stored in web browsers is a simple one where files containing the information are read and decrypted, there is a limit to products such as anti-malware software perfectly blocking such behaviors alone.

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

Behavior Detection
– CredentialAccess/MDP.WebBrowser.M11628
– CredentialAccess/MDP.WebBrowser.M11633

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

Source: https://asec.ahnlab.com/en/63174/