A new Windows trojan has been discovered that attempts to steal passwords stored in the Google Chrome browser. While this is nothing unique, what stands out is that the malware uses a remote MongoDB database to store the stolen passwords.
This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome's password manager.
After being discovered by MalwareHunterTeam and further analyzed by James, though, things got a bit more interesting.
Instead of compiling the stolen passwords into a file and sending them to a C2 under the attackers control, the malware connects directly to a remote MongoDB database and uses it to store the stolen credentials.
To do this, the malware includes hardcoded MongoDB credentials and utilizes the MongoDB C Driver as a client library to connect to the database.
This is further illustrated by a test of the malware conducted by James. As you can see by the Wireshark screenshot below, when the malware steals Chrome passwords it will connect to the remote MongoDB database in order to store them for later retrieval by the attacker.
While this method ultimately serves its purpose of stealing passwords, it also opens the door for other attackers to gain access to the victim's credentials.
Anyone analyzing this malware, whether it be law enforcement, researchers, or other threat actors, can retrieve the hard coded credentials and use them to gain access to the stolen credentials.
Comments
Serversorcery - 4 years ago
It would make articles much more valuable if they included the affected operating systems, and if possible the CVE/vulnerabilities used in the exploit, malware attack vector, and other technical information. When I click on articles like this I want them to answer if I or my company or my clients or my friends etc etc are vulnerable, even if it's only via a link to additional information somewhere in the article.
Thank you,
Server Sorcery
an0n - 4 years ago
Foreword: You're missing the point of this article. The author mentions that the malware being a chrome password stealer isn't notable ("While this is nothing unique"), and goes on to explain that this is interesting because of the fact that it's storing the pilfered credentials in a mongo instance that is effectively available to anyone who can retrieve a copy of the malware itself, noting that other attackers may simply steal this attacker's "loot". With that stated, here's what you're looking for:
Affected OS: Any non-ARM Windows OS running Chrome
CVE: None / irrelevant / not getting patched by Google because it's intended functionality
Attack vector: Misusing built-in functionality to Chrome
Risk summary: This works on literally any and every installation of Chrome in Windows with trivial difficulty. Stored password retrieval is a feature of Chrome itself.
Side note: This is also possible on OS X, Linux, and other OS's running Chrome, but I cannot attest to the decryption process.
Technical details: If it makes you feel any better, the passwords do have the most negligible sliver of protection - they are encrypted by default with the Win32 CryptProtectData() function. Of course, this isn't particularly helpful, given that as long as the same [Windows] user was the one who initially "saved" the password into Chrome [read: original account that was used to call CryptProtectData()] is the one who is currently logged in when this payload is executed, the malware can simply call CryptUnprotectData().
Additional reference: This is trivial enough that university students are doing it as projects for their entry-level security classes in college: https://www.cse.wustl.edu/~jain/cse571-14/ftp/p_trojan/index.html
Remediation steps: https://lmgtfy.com/?q=group+policy+disable+chrome+password+storing&iie=1
If the fact that not every piece of malware utilizes a vulnerability with an assigned CVE ID is news to you, I can only pray that you work far, far away from any kind of information security org or department.
Lawrence Abrams - 4 years ago
an0n's reply pretty much explains the interesting part of this, but I added Windows to the first sentence so people are better informed.
Thanks for the suggestion.
Serversorcery - 4 years ago
Well that was a super rude response by Anon. Clearly you took some classes on cyber security but didn't learn everything you needed to in kindergarten.
Anyway thanks for adding the affected OS for this malware. Hopefully other readers understood that I didn't imply this malware had a CVE, since often the user is responsible for running the malware as an admin. In this day and age it's worth mentioning the trajectory, whether it involves a documented vulnerability, or simply came as christmas.exe in an email and required an ID10T error.
I hope chastising me made Anon feel better, despite the fact that my comment went over their head a bit.
JohnnyJammer - 4 years ago
i think you might find that you dont need to be Admin for this to pull the credentials, its the same as Nirsoft for pulling creds with firefox and chrome mate.
Speeddymon - 4 years ago
Why doesn't MalwareHunterTeam just change the passwords of every stolen account in the database? This would force the users to change their passwords and invalidate every record, thus wasting the malware author's time.
Lawrence Abrams - 4 years ago
Because that is illegal.
voidrunner - 4 years ago
This just raises the question, WHY would you EVER store a password on Chrome. Write it down in a book, or on a sticky note, but never store any info like that online; you're asking to get hacked then.
Saikotic - 4 years ago
In response to Voidrunner:
I'm sorry if not all of us are naturally born with the ability to keep track of everything we write down. Besides, keeping your login information on a piece of paper isn't much better when you think about it. Sure, it may be harder to obtain, but it's much easier to lose to someone else if it's dropped somewhere or stolen. At that point, anyone can see it without even being a hacker. I'm thinking the most secure way of saving your info is to just to remember it.
voidrunner - 4 years ago
Saikotic, you don't have to be "born with the ability to keep track of everything you write down." All you have to do is get a little note pad, write down the site, and your Username and Password, then stick it in your drawer.
As for it being "dropped or stolen" as said above, keep it in your drawer.
Whalley_World - 4 years ago
Password storage software is more secure than Post-its, desk drawers, undersides of keyboards, books, or any other "clever" hiding places. The credential software offers encryption - stronger than that offered by a browser. Writing it down on a piece of paper is about as secure as "hiding" a spare house key under a fake rock. It doesn't fool anyone.
ishban - 4 years ago
There are usually 4 things it usually tells people during company orientation.
1 never write down your password so someone can find iit and access your computer.
2 never leave you pc logged in so someone can access it
3 change your password regularly
4 use a different password for every website
If you only have 1 password to remember sure you can write it down and put it into your wallet but who only had 1 password they need to keep track of