Credential Flusher Research
Sept. 17, 2024, 2:59 p.m.
Tags
External References
Description
This intelligence report describes a technique employed by threat actors to compel victims into entering their credentials into a browser, thereby enabling the credentials to be stolen from the browser's credential store using traditional credential-stealing malware. The method involves launching the victim's browser in kiosk mode and navigating to a login page, preventing the user from closing or navigating away from the webpage. This tactic frustrates the victim into entering their credentials in an attempt to close the window, after which the credentials are stored in the browser's credential store and can be exfiltrated.
Date
Published: Sept. 17, 2024, 1:56 p.m.
Created: Sept. 17, 2024, 1:56 p.m.
Modified: Sept. 17, 2024, 2:59 p.m.
Indicators
b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de
99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078
53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2
0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608
31.41.244.11
http://31.41.244.11/well/random.exe
http://31.41.244.11/steam/random.exe
Attack Patterns
StealC
Amadey
T1158
T1086
T1556
T1608
T1115
T1070
T1083
T1592
T1027
T1053
T1059