Browser Sensitive Data Enumeration

ID

browser_sensitive_data_enumeration

Severity

high

Resource

Sensitive Data

Tags

spyware

Description

This detector checks for code that collects browser sensitive data.

Rationale

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.

Related Malware campaigns

Pretty common among NPM and Pypi malicious packages campaigns. Many of the malicious packages in these environments performs browser sensitive data enumeration followed by its exfiltration.

Many of them just pursue collecting sensitive information to perform later attacks or for reselling it in the back market.

These are many popular variants using this technique:

  • Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.

  • PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector.

  • QakBot stands out as a modular banking trojan primarily employed by financially motivated actors since at least 2007. Continuously updated, it has transformed from an information stealer into a delivery mechanism for ransomware.

Configuration

The detector has the following configurable parameters:

  • path_patterns, that indicates path patterns used by the detector to match the sensitive browser data locations.

  • sources, that indicates the source kinds to check. Available values are:

    • browser_sensitive_data

  • sinks, that indicates the sink to check. Available values are:

    • resource_injection

  • neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

References