<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>RedLine Stealer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/redline-stealer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/redline-stealer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Non-Chrome Process Accessing Chrome Login Data</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-chrome-login-data-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-chrome-login-data-access/</guid><description>This analytic identifies non-Chrome processes accessing the Chrome user data file 'login data', an SQLite database containing sensitive information like saved passwords, potentially indicating credential theft attempts.</description><content:encoded><![CDATA[<p>This detection identifies processes other than Chrome accessing the &quot;Login Data&quot; file, an SQLite database containing sensitive user information such as saved usernames and passwords. This file is typically located in the Chrome user profile directory. The activity is detected by monitoring Windows Security Event logs (EventCode 4663) for object access events. The analytic aims to detect unauthorized attempts by malware or threat actors to steal credentials stored within the Chrome browser. This activity is particularly concerning because successful credential theft can lead to unauthorized access to sensitive accounts and potential privilege escalation within the compromised environment. Observed threat actors leveraging this technique include RedLine Stealer, DarkGate Malware, NjRAT, Phemedrone Stealer, and other credential stealers and RATs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system through various means (e.g., phishing, exploit).</li>
<li>The attacker executes a malicious program (e.g., RedLine Stealer) on the compromised endpoint.</li>
<li>The malicious program attempts to access the Chrome &quot;Login Data&quot; file located in the user's profile directory (e.g., <code>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data</code>).</li>
<li>The Windows Security Event Log generates an Event ID 4663, recording the access attempt.</li>
<li>The malicious program reads the &quot;Login Data&quot; SQLite database, extracting saved usernames, passwords, and website URLs.</li>
<li>The extracted credentials are then exfiltrated to the attacker's command-and-control (C2) server.</li>
<li>The attacker uses the stolen credentials to access sensitive accounts, potentially leading to data breaches, financial fraud, or further lateral movement within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised Chrome login data can expose user credentials for various online services, including banking, email, and social media accounts. A successful attack can lead to financial loss, identity theft, and unauthorized access to sensitive corporate resources. Organizations using Chrome as their primary browser are particularly vulnerable. The number of affected users depends on the scope of the initial compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable &quot;Audit Object Access&quot; in Group Policy and configure auditing for both &quot;Success&quot; and &quot;Failure&quot; events to generate Windows Security Event 4663, as required by the Splunk search query.</li>
<li>Deploy the Sigma rule &quot;Detect Non-Chrome Process Accessing Chrome Login Data&quot; to your SIEM to identify unauthorized access attempts to the Chrome &quot;Login Data&quot; file.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on identifying the source process and the context of the access.</li>
<li>Consider implementing application control policies to restrict which processes can access sensitive files like the Chrome &quot;Login Data&quot; file.</li>
<li>Educate users about the risks of phishing and social engineering attacks, which are common initial access vectors for malware that steals credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>credential-access</category><category>stealer</category><category>chrome</category></item></channel></rss>