Credentials from Password Stores: Учетные данные из браузеров
Other sub-techniques of Credentials from Password Stores (6)
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data
and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;
. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData
, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).
Примеры процедур |
|
Название | Описание |
---|---|
njRAT |
njRAT has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5) |
BlackEnergy |
BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014) |
H1N1 |
H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.(Citation: Cisco H1N1 Part 2) |
Mispadu |
Mispadu can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023) |
Imminent Monitor |
Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.(Citation: QiAnXin APT-C-36 Feb2019) |
Olympic Destroyer |
Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018) |
Javali |
Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.(Citation: Securelist Brazilian Banking Malware July 2020) |
CookieMiner |
CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.(Citation: Unit42 CookieMiner Jan 2019) |
Patchwork |
Patchwork dumped the login data database from |
SUGARDUMP |
SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.(Citation: Mandiant UNC3890 Aug 2022) |
APT41 |
APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.(Citation: Rostovcev APT41 2021) |
WarzoneRAT |
WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
ZIRCONIUM |
ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.(Citation: Zscaler APT31 Covid-19 October 2020) |
KONNI |
KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Talos Konni May 2017) |
Malteiro |
Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.(Citation: SCILabs Malteiro 2021) |
During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.(Citation: CrowdStrike StellarParticle January 2022) |
|
ROKRAT |
ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123) |
QuasarRAT |
QuasarRAT can obtain passwords from common web browsers.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
APT3 |
APT3 has used tools to dump passwords from browsers.(Citation: Symantec Buckeye) |
LaZagne |
LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.(Citation: GitHub LaZagne Dec 2018) |
APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
RedLeaves |
RedLeaves can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018) |
Stealth Falcon |
Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.(Citation: Citizen Lab Stealth Falcon May 2016) |
MgBot |
MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023) |
TSCookie |
TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.(Citation: JPCert TSCookie March 2018) |
Smoke Loader |
Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018) |
Agent Tesla |
Agent Tesla can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020) |
P |