Credential Flusher Research

Sept. 17, 2024, 2:59 p.m.

Description

This intelligence report describes a technique employed by threat actors to compel victims into entering their credentials into a browser, thereby enabling the credentials to be stolen from the browser's credential store using traditional credential-stealing malware. The method involves launching the victim's browser in kiosk mode and navigating to a login page, preventing the user from closing or navigating away from the webpage. This tactic frustrates the victim into entering their credentials in an attempt to close the window, after which the credentials are stored in the browser's credential store and can be exfiltrated.

External References

https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html
https://otx.alienvault.com/pulse/66e98a9f66c06c3e27892ed3
Tags
stealer
autoit
credential
stealc
2024-09-17
flusher
kiosk

Date

  • Created: Sept. 17, 2024, 1:56 p.m.
  • Published: Sept. 17, 2024, 1:56 p.m.
  • Modified: Sept. 17, 2024, 2:59 p.m.

Indicators

  • b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de
  • 99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
  • 78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078
  • 53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2
  • 0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608
  • 31.41.244.11
  • http://31.41.244.11/well/random.exe
  • http://31.41.244.11/steam/random.exe
Download all indicators here!

Attack Patterns

  • StealC
  • Amadey
  • T1158
  • T1086
  • T1556
  • T1608
  • T1115
  • T1070
  • T1083
  • T1592
  • T1027
  • T1053
  • T1059