Qilin Ransomware TTPs Include Harvesting VPN Credentials in Chrome

In a recent Qilin ransomware attack observed in July 2024, threat actors stole credentials stored in Google Chrome browsers on compromised endpoints. The attackers gained access to the target network by exploiting compromised VPN credentials that lacked multi-factor authentication (MFA), The Hacker News reports.

‍

After 18 days of initial access, they performed post-exploitation actions, including modifying the default domain policy on a domain controller.

‍

The attackers introduced a logon-based Group Policy Object (GPO) containing two scripts. The first, a PowerShell script named "IPScanner.ps1," was designed to harvest credentials stored in Chrome.  

‍

The second was a batch script ("logon.bat") that executed the PowerShell script upon user login. The GPO remained active for over three days, during which time users unwittingly triggered the credential-harvesting process every time they logged in.

‍

This approach, leveraging legitimate remote desktop tools rather than custom-made malware, allowed the attackers to blend their activities with regular network traffic, making detection more difficult.  

‍

The combination of ransomware with credential harvesting represents a significant escalation in attack sophistication, potentially leading to broader consequences as the stolen credentials could be used for further malicious activities.

‍

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Qilin is a RaaS operation that first emerged in July of 2022 that is written in the Go and Rust programming languages and is capable of targeting Windows and Linux systems.  

‍

Rust is a secure, cross-platform programming language that offers exceptional performance for concurrent processing, making it easier to evade security controls‌ and develop variants to target multiple OSs Qilin operators are known to exploit vulnerable applications including Remote Desktop Protocol (RDP).

‍

The Qilin RaaS offers multiple encryption techniques giving operators several configuration options when conducting the attack.  

‍

Qilin operations include data exfiltration for double extortion with the threat to expose or sell the data via their leaks site should the victim fail to come to terms with the attackers The affiliate program offers an 80% take for ransoms under $3 million and 85% for those over $3 million.

‍

Qilin attack volumes are modest compared to leaders but given they are putting so many resources into developing one of the most generous profit sharing RaaS platforms in the market, combined with the use of advanced programming languages and a versatile attack platform, we are likely to see more from this group.

‍

Qilin is assessed to be a big game hunter selecting targets for their ability to pay large ransom demands, as well as targeting the healthcare and education sectors. Ransom demands are likely to be in the millions of dollars based on their affiliate profit sharing model which pays a higher percentage for ransoms over $3 million.

‍

Notable victims include Ditronics Financial Services, Daiwa House, ASIC SA, Thonburi Energy Storage, SIIX Corporation, WT Partnership Asia, FSM Solicitors.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.