Credential Flusher Research

Sept. 17, 2024, 2:59 p.m.

Tags
stealer
autoit
credential
stealc
2024-09-17
flusher
kiosk
External References
Description

This intelligence report describes a technique employed by threat actors to compel victims into entering their credentials into a browser, thereby enabling the credentials to be stolen from the browser's credential store using traditional credential-stealing malware. The method involves launching the victim's browser in kiosk mode and navigating to a login page, preventing the user from closing or navigating away from the webpage. This tactic frustrates the victim into entering their credentials in an attempt to close the window, after which the credentials are stored in the browser's credential store and can be exfiltrated.

Date

Published: Sept. 17, 2024, 1:56 p.m.

Created: Sept. 17, 2024, 1:56 p.m.

Modified: Sept. 17, 2024, 2:59 p.m.

Indicators

b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de

99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af

78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078

53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2

0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608

31.41.244.11

http://31.41.244.11/well/random.exe

http://31.41.244.11/steam/random.exe

Download all indicators here!

Attack Patterns

StealC

Amadey

T1158

T1086

T1556

T1608

T1115

T1070

T1083

T1592

T1027

T1053

T1059