Users frequently utilize the convenience of automatic log in features provided by programs like web browsers, email clients, and FTP clients. However, this convenience comes at a cost as each of these programs stores user account credentials within their settings data. Despite being a convenient feature, it also poses a security risk because malicious threat actors are able to leak the users’ account credentials easily.
If malware or threat actors gain control of an infected system, they can employ various tools to extract users’ account credentials. Additionally, there are specifically designed Infostealers crafted for the sole purpose of extorting account credentials. If the malware is already known, installed anti-malware software on the endpoint can effectively respond to it. However, in order to handle unknown malware strains, the AhnLab Malware Defense System (MDS) is essential.
AhnLab MDS is a sandbox-based file analysis solution that executes files in a virtual environment to analyze their behavior. Since even novel files exhibit known malicious behaviors, AhnLab MDS can effectively detect them. AhnLab MDS comes equipped with an assortment of analysis engines that are utilized to analyze file behavior or the files themselves, enabling the accurate detection of advanced threats.
1. Overview
Web browsers are one of the most commonly and frequently used programs by PC users. This not only includes personal users but also employees who are performing corporate tasks. They are utilized for accessing web services, including search functions and email communication. Furthermore, various other tasks such as document work can be done through web browsers if the necessary web interface is provided.
As for emails, although they can be checked through web browsers, employees often prefer to install and use dedicated email clients such as Microsoft Outlook and Mozilla Thunderbird on their PCs. Although cloud services have become more popular for sharing files in recent years, there are still many cases where FTP is used.
The commonality among these programs is that users typically log in to access services with their own accounts. While users can log in each time they start their computers, most applications, including web browsers, support automatic login. Once logged in, the account credentials are stored in each application’s settings data, allowing seamless usage without the need for repeated logins.
Figure 1. Automatic save message for credentialsHowever, such convenience comes with risks. If a threat actor gains control of a user’s system or if malware is installed on the system, the stored account information can be easily stolen. Typically, users only use a few accounts for various services, so even if a small number of logged-in account credentials are stolen, various user information can fall into the hands of the threat actor.
It is worth noting that if an email address is used to log in, the email address itself is also exposed to the threat actor. This threat actor can then leverage this information to send threatening emails. Below is an example of a threatening email sent by a threat actor to an email address collected from a system that was infected with an Infostealer. Along with a captured screenshot and gathered information, the email threatens to produce explicit content using the collected information and send it to acquaintances via email and social media. The email also instructs the recipient to send $1,200 to the threat actor’s Bitcoin wallet address if the recipient does not wish for this to happen.
Figure 2. Screenshot captured by the threat actor along with the threatening email
2. Known Malware Cases
Infostealer is a type of information-stealing malware with the goal of stealing user information, such as the account credentials and history saved in applications like web browsers and email clients. Threat actors often employ techniques like packing and obfuscation before distributing their malware to evade file detection by anti-malware software. However, even if their outer appearances are changed, the behaviors of malware include known malicious activities. These activities can be detected by AhnLab MDS.
Here, we compiled cases of AhnLab MDS being used to detect the information exfiltration behavior of major Infostealers widely used in attacks.
A. AgentTesla
AgentTesla is an Infostealer that is primarily distributed via spam emails. This malware targets and collects information from a variety of applications, including most web browsers, email/FTP clients, and VNC programs. The collected information is then sent to a C&C server through SMTP, FTP, or the Telegram API. [1]
Among the various information exfiltration behaviors, this section outlines instances where AhnLab MDS detected the theft of user account credentials stored in web browsers and VNC by the AgentTesla Infostealer.
Figure 3. Account credentials exfiltration behavior detected in various web browsers – Detected by MDS
Figure 4. Account credentials exfiltration behavior detected in various VNC programs – Detected by MDS
B. Lokibot
Similar to AgentTesla, Lokibot is an Infostealer that targets a wide range of applications, including web browsers, email/FTP clients, file/password management programs, and terminal emulators, to steal account credentials. [2]
Among the various information exfiltration behaviors, this section outlines instances where AhnLab MDS detected the theft of user account credentials stored in email and FTP clients by the Lokibot Infostealer.
Figure 5. Account credentials exfiltration behavior detected in various email clients – Detected by MDS
Figure 6. Account credentials exfiltration behavior detected in various FTP clients – Detected by MDS
3. Cases of APT Attacks
Up to this point, we have discussed well-known malware strains that are distributed indiscriminately to the public. However, stealing user account credentials is a crucial step in the attack process that can provide threat actors with significant advantages. For example, even if the target is an ordinary user, threat actors can leverage stolen credentials to obtain more information later. For corporate users, stolen credentials can be used not only to infect systems but also to move laterally within the organization’s internal network and seize control.
Therefore, obtaining credentials is an essential step even for APT attack groups. It is important to note that due to the nature of APT attackers, they often create their own malware instead of using well-known ones. However, even if they create new malware, the behavior of stealing information is often similar to that of known malware.
AhnLab MDS executes and analyzes file behaviors in a virtual environment. Therefore, unlike other anti-malware software, it is able to detect and respond to information theft performed by unknown malware even when the appearance of the file cannot be diagnosed. Here, we cover cases where AhnLab MDS was used to detect various information-stealing malware used by APT groups to acquire user account credentials in the past.
A. Andariel
The Andariel threat group primarily targets Korean corporations and institutions and is known to collaborate with or operate as a subsidiary organization of the Lazarus threat group. The group was first identified targeting Korean entities in 2008, with major targets including national defense, political organizations, shipbuilding, energy, telecommunications, and other security-related entities. Additionally, universities, transportation, ICT companies, and various other corporations and agencies located in Korea have also been targeted.
The Andariel threat group mainly utilizes spear phishing attacks, watering hole attacks, and supply chain attacks during the initial infiltration process. There are also cases where the group exploits centralized management solutions during the malware installation process. [3] This post will cover the Infostealer that was installed in the past by the Andariel group using TigerRAT.
TigerRAT is a backdoor, so it does not have extensive features related to information theft. In order to gather additional information, the group used malware similar to other Infostealers to steal user account credentials stored in web browsers and Outlook clients. This malware is capable of stealing user account credentials from Chrome, Firefox, Internet Explorer, Opera, and Naver Whale web browsers, as well as the Outlook client. It then outputs them as command line outputs.
Figure 7. Andariel group’s InfostealerThe results presented below depict the outcomes of utilizing AhnLab MDS to identify the activities associated with the theft of user account credentials from web browsers and the Outlook client. This pertains to the Infostealer utilized in the APT attacks orchestrated by the Andariel group. This means that in environments where AhnLab MDS is installed, the information-stealing behavior is detected when the threat actor attempts to additionally install an Infostealer. This allows users to prevent threat actors from seizing control of the organization’s network via lateral movement and stealing internal information.
Figure 8. Account credentials exfiltration behavior of the Andariel group’s Infostealer – Detected by MDS
B. Kimsuky
Kimsuky is a threat group known to be supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. They primarily target national defense, defense industries, media, diplomacy, government agencies, and academic fields via spear phishing attacks with the purpose of stealing internal information and technology. [4]
The Kimsuky group employs various malware for remote control, including self-made malware like AppleSeed and AlphaSeed, as well as tools like TinyNuke (HVNC) and TightVNC. However, since these malware strains lack any direct feature for stealing account credentials, they are often supplemented with Infostealer which is responsible for such a feature. The following is an Infostealer that was used in recent attacks to steal various user information, including account credentials, cookies, and browsing history stored in web browsers before creating a json file in the same directory.
Figure 9. Kimsuky group’s InfostealerAhnLab MDS can also detect when the Infostealer used in the Kimsuky group’s APT attacks steals user account credentials stored in web browsers. This allows for the detection and prevention of information theft on infected systems in advance, enabling administrators to be aware of the attack and prevent the next stage of the attack.
Figure 10. Account credentials exfiltration behavior of the Kimsuky group’s Infostealer – Detected by MDS
4. Conclusion
Threat actors can steal user credentials through various methods and use the stolen information to laterally move and ultimately take control of an organization’s network. Therefore, stealing user credentials is a crucial step in the attack process, and threat actors use both known malware and custom-made Infostealer for this purpose.
AhnLab MDS is a sandbox-based file analysis solution that executes files in a virtual environment to analyze their behavior. Both established malware and novel ones crafted by threat actors in APT attacks invariably engage in information-stealing behavior during their execution. By detecting these information-stealing behaviors, AhnLab MDS enables administrators to become aware of the attack and preemptively block the threat actor’s next move.
Behavior Detection
– Infostealer/MDP.Behavior.M10087
– CredentialAccess/MDP.infostealer.M10258
– CredentialAccess/MDP.infostealer.M10266
– CredentialAccess/MDP.Outlook.M11577
– CredentialAccess/MDP.IExplore.M11582
– Execution/MDP.Lokibot.M10952
– Execution/MDP.AgentTesla.M11002
AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit our official website.
The post Account Credentials Stealing Malware Detected by AhnLab MDS (Web Browsers, Email, FTP) appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/61082/