Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. [1]

Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. [2]

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. [3][4]

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

ID: T1503
Tactic: Credential Access
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: Process monitoring, PowerShell logs, File monitoring, API monitoring
Contributors: Ryan Benson, Exabeam; Barry Shteiman, Exabeam; Sylvain Gil, Exabeam; RedHuntLabs, @redhuntlabs
Version: 1.0

Procedure Examples

Name Description
Azorult

Azorult can steal credentials from the victim's browser.[15]

BlackEnergy

BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.[16][17]

Empire

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[7]

jRAT

jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[18]

KeyBoy

KeyBoy attempts to collect passwords from browsers.[13]

KONNI

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[12]

LaZagne

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[6]

Machete

Machete collects stored credentials from several web browsers. [25]

MuddyWater

MuddyWater has run a tool that steals passwords saved in victim web browsers.[26]

njRAT

njRAT has a module that steals passwords saved in victim web browsers.[19][20][21]

Prikormka

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[10]

Proton

Proton gathers credentials for Google Chrome.[22]

QuasarRAT

QuasarRAT can obtain passwords from common web browsers.[8][9]

Smoke Loader

Smoke Loader searches for credentials stored from web browsers.[23]

Stolen Pencil

Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[27]

TA505

TA505 has used malware to gather credentials from Internet Explorer.[28]

TrickBot

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.[24]

XAgentOSX

XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[11]

Zebrocy

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[14]

Mitigations

Mitigation Description
Password Policies

Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

Detection

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

References

  1. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  2. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  3. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  4. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  5. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  6. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  7. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  8. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  9. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  10. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  11. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  12. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  13. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  14. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.