Introduction
HackBrowserData is an open-source tool created by a Chinese origin author who goes by the username ‘moonD4rk’ on the Github.com website. This tool claims to decrypt and export the various types of data present in the browsers, including passwords, browser history, cookies, bookmarks, credit cards, download history, local Storage, and extensions. This tool supports the most popular browsers in the market for Windows, macOS and Linux and operating systems. This tool would be used by Red-Teams or threat actors as an info-stealer in post exploitation activities.
A research team of company Eclecticiq have found that this tool was modified and used in a campaign against various Indian government related agencies and Indian private companies in energy sector in March 2024. The actor created a phishing campaign which was based on an invite letter from the Indian Air Force. The phishing email contained an ISO attachment. This article contains information about behavior of a modified version of the HackBrowserData tool employed in this threat campaign. The article also demonstrates FortiEDR detection and blocking against this threat.
Attack Diagram
Figure 1. Attack Diagram for FlightNight attack.
Analysis
This campaign started with a phishing email with an attached ISO delivered to targeted victims. When the victim mounts this ISO file, the mounted drive contains a shortcut file with the name ‘invitation-letter’. This shortcut file contains a command to execute a file ‘scholar.exe’ from within a hidden ‘.t’ folder in the ISO. Once ‘scholar.exe’ has been executed the command within the shortcut file also opens ‘invite.pdf’ from the same hidden folder. This shortcut file, folder ‘.t’ and files inside the folder ‘.t’ can be observed in Figure 2.
Figure 2. ISO file contains shortcut file and folder .t which contains scholar.exe, invite.pdf
The shortcut contains the following command:
C:\Windows\System32\cmd.exe%CD%./c start /B .t\scholar.exe & .t\invitation.pdf
When this command is executed the ‘scholar.exe’ starts in the background and in the foreground ‘invitation.pdf’ is opened. This command execution can be observed in the FortiEDR Threat Hunting telemetry in the following Figure 3.
Figure 3. FortiEDR Threat Hunting telemetry showing command execution from shortcut file.
The file ‘invitation.pdf’ contains a fake letter from a fake member of the Indian Air Force and a snippet can be seen in Figure 4.
Figure 4. Decoy invite pdf file which is showed to victim.
When the ‘scholar.exe’ file (SHA1 - A912DF162DAF2C75C23750A51CAF198822427094) is executed, it is detected by FortiEDR as ‘ShellcodeRunner.ME!tr’ which triggers the ‘Malicious File Detected’ rule from the ‘Execution Prevention’ policy. As a result of this detection, execution is blocked by the FortiEDR. We can observe this event in Figure 5.
Figure 5. Initial execution of the malicious sholar.exe was blocked by FortiEDR
If allowed to execute, the ‘scholar.exe’ will extract data from installed browsers on the victim endpoint. In our case the victim VM only had the Microsoft Edge browser installed so only data related to the Edge browser were dumped. The files created were:
-
microsoft_edge_default_history.csv
-
microsoft_edge_default_download.csv
-
microsoft_edge_default_cookie.csv
-
microsoft_edge_default_sessionstorage.csv
-
microsoft_edge_default_localstorage.csv
-
microsoft_edge_def_sessionstorage.csv
These output file name structure matches with the output files of open-source project HackBrowserData[1]. These files were created in the folder ‘C:\ Users\Public\results\’. The file creation events related to this activity can be observed in FortiEDR Threat Hunting Telemetry as shown in Figure 6 below.
Figure 6. FortiEDR Threat Hunting Telemetry of stolen browser data intermediate files.
After all files are created the ‘scholar.exe’ process creates a zip file of this output folder with name ‘results.zip’ in the folder ‘C:\Users\Public’. After this zip file is created the process ‘scholar.exe’ communicates to ‘slack[.]com’ via HTTPS and sends the created files to the threat actor's slack channel. On initial execution the ‘scholar.exe’ process also connects to the website ‘ctldl.windowsupdate[.]com’ and downloads file legitimate ‘authrootstl.cab’ file. We believe this action is due to some go-lang library which is used for SSL communication by ‘scholar.exe’. We believe this is not C2 but a dependency of ‘scholar.exe’.
Before the ‘scholar.exe’ process communicates to the Slack server for file exfiltration, it creates a file with name ‘Bkdqqxb.txt’ in the folder ‘C:\Users\<UserName>\AppData\Local\Temp\’. We have observed that this file name is unique across multiple different victim VM for this executable so we believe that this might be used a mutex by this malicious program.
Since the ‘scholar.exe’ process is marked as malicious, any further network communication of this file to the Slack server is blocked by FortiEDR. We can observe a security event associated with one of these C2 connection attempts in Figure 7 below.
Figure 7. Malicious Scholar.exe communication with slack server is blocked by FortiEDR
After sending browser data to Slack the ‘scholar.exe’ process deletes the dumped browser data files and staged zip file. This activity triggers FortiEDR ‘Malicious File Detected’ rule from the ‘Ransomware Prevention’ security policy and activity is blocked. This can be observed in Figure 8 below.
Figure 8. Intermediate browser data files deletion blocked by FortiEDR.
We downloaded and detonated the binary released on the GitHub page of HackBrowserData tool and FortiEDR detected and blocked the execution. To demonstrate the ability of FortiEDR machine learning detection, we changed the file-hash this file and detonated again. The machine learning of FortiEDR detected file as malicious and blocked execution of the newly changed file.
Conclusion
As the article highlights, FortiEDR detects and mitigates behavior associated with the execution of the tool ‘HackBrowserData.’ Some of these behaviors include:
-
Characteristics of the modified tool were identified by machine learning as likely malicious
-
file deletion performed by the customized tool following execution was detected and blocked
-
Network communication (to Slack) of the malicious program for data exfiltration was blocked
Threat Hunting queries related to this malware execution are provided below for proactive detection of ‘HackBrowserData’ tool and its custom malicious implementation.
Threat Hunting
The following Threat Hunting query will detect ‘Socket Connect’ events where process with name ‘scholar.exe’ connects to slack file server IP addresses observed in this campaign. Note that IP addresses and file name are specific to this campaign and the query might need adjustments for future campaigns.
Type:("Socket Connect") AND Source.Process.Name:("scholar.exe") AND RemoteIP:("3.129.123.235" OR "34.202.253.6" OR "13.127.99.68" OR "13.126.138.201") AND RemotePort:("443")
The following Threat Hunting query will detect ‘Process Creation’ events where a processs’ file name is cmd.exe and the command line arguments match those used in this campaign. Note that filenames included in this command are specific to this campaign and the query might need adjustments for future campaigns.
Type:("Process Creation") AND Target.Process.File.Name:("cmd.exe") AND Target.Process.CommandLine:("\/c start \/B .t\\scholar.exe & .t\\invitation.pdf")
The following Threat Hunting query will detect ‘File Create’ events where a file with name ‘Bkdqqxb.txt’ is created. This same file name is created by ‘scholar.exe’ when executed on different test VM. Note that the file name is specific to this campaign and the query might need adjustments for future campaigns.
Type:("File Create") AND Target.File.Name:("Bkdqqxb.txt")
The Following Threat Hunting query will detect ‘File Create’ events where the file name is from the default edge browser date output files created by the HackBrowserData tool.
Type:("File Create") AND Target.File.Name:("microsoft_edge_default_history.csv" OR "microsoft_edge_default_download.csv" OR "microsoft_edge_default_cookie.csv" OR "microsoft_edge_default_sessionstorage.csv" OR "microsoft_edge_default_localstorage.csv" OR "microsoft_edge_def_sessionstorage.csv")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0001 - Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1566.002 |
Phishing: Spearphishing Link |
Specific Government and defense agencies were targeted as part of this campaign using material designed to appear legitimate. |
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
Users would be tricked into opening a malicious shortcut file which would execute malicious ‘scholar.exe’. Shortcut file had its icon set to the default PDF logo to attempt to masquerade as a PDF. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1036.008 |
Masquerading: Masquerade File Type |
The LNK file has had its icon file changed to appear as a PDF file. |
TA0006 - Credential Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1555.003 |
Credentials from Password Stores: Credentials from Web Browsers |
HackBrowserData tool can be used to extract credentials from web browsers. |
|
T1539 |
Steal Web Session Cookie |
HackBrowserData tool steal session cookies from web browsers. |
TA0007 - Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1217 |
Browser Information Discovery |
HackBrowserData tool collects information about browser and data. |
TA0009 - Collection
|
Technique ID |
Technique Description |
Observed Activity |
|
T1005 |
Data from Local System |
HackBrowserData tool extracts credentials and data from web browsers. |
TA0010 - Exfiltration
|
Technique ID |
Technique Description |
Observed Activity |
|
T1567 |
Exfiltration Over Web Service |
The modified version of HackBrowserData tool sends data over web service to specific Slack channel of attacker’s choice. |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1573 |
Encrypted Channel |
The modified version of HackBrowserData tool sends data over encrypted HTTPS channel to specific Slack channel. |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
The modified version of HackBrowserData tool sends data over web service to specific Slack channel of attacker’s choice. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
4D9C4093E959467F8A515421310BC4D34F354EA6 |
SHA1 Hash |
Installation |
Malicious ISO image file |
2024-03-10 |
|
Malicious Executable |
07B63A6320252FAE87894DFFA7B3DE2E9AB70E2C191DCB9E1F4D679BA0146331 |
SHA256 Hash |
Installation |
Malicious ISO image file |
2024-03-10 |
|
Malicious Executable |
A912DF162DAF2C75C23750A51CAF198822427094 |
SHA1 Hash |
Installation |
Malicious scholar.exe file |
2024-03-08 |
|
Malicious Executable |
0AC787366BB435C11BF55620B4BA671B710C6F8924712575A0E443ABD9922E9F |
SHA256 Hash |
Installation |
Malicious scholar.exe file |
2024-03-08 |
|
Malicious Executable |
CEF9EF1BBBB0B80C21DD5C58BF68B374A194B35B |
SHA1 Hash |
Installation |
Malicious LNK file |
2024-03-08 |
|
Malicious Executable |
4455CA4E12B5FF486C466897522536AD753CD459D0EB3BFB1747FFC79A2CE5DD |
SHA256 Hash |
Installation |
Malicious LNK file |
2024-03-08 |
