Input Capture: GUI Input Capture
Other sub-techniques of Input Capture (4)
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and PowerShell.(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. Unix Shell).(Citation: Spoofing credential dialogs)
Procedure Examples |
|
Name | Description |
---|---|
Proton |
Proton prompts users for their credentials.(Citation: objsee mac malware 2017) |
iKitten |
iKitten prompts the user for their credentials.(Citation: objsee mac malware 2017) |
Metamorfo |
Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation: FireEye Metamorfo Apr 2018) |
Calisto |
Calisto presents an input prompt asking for the user's login and password.(Citation: Symantec Calisto July 2018) |
Keydnap |
Keydnap prompts the users for credentials.(Citation: synack 2016 review) |
Bundlore |
Bundlore prompts the user for their credentials.(Citation: MacKeeper Bundlore Apr 2019) |
FIN4 |
FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014) |
Dok |
Dok prompts the user for credentials.(Citation: objsee mac malware 2017) |
XCSSET |
XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
SILENTTRINITY |
SILENTTRINITY's `credphisher.py` module can prompt a current user for their credentials.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Mitigations |
|
Mitigation | Description |
---|---|
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Detection
Monitor process execution for unusual programs as well as malicious instances of Command and Scripting Interpreter that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources.
References
- Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.
- Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
- Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.
- Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.