Breaking The Browser - A tale of IPC, credentials and backdoors - MDSec
Tags
attack-pattern: Data Direct Credentials - T1589.001 Hooking - T1617 Inter-Process Communication - T1559 Javascript - T1059.007 Password Managers - T1555.005 Python - T1059.006 Tool - T1588.002 Browser Extensions - T1176 Connection Proxy - T1090 Hooking - T1179 Hooking
Show in Graph
Common Information
Type Value
UUID f78c2d58-dc45-404c-bc82-773848b63d8b
Fingerprint a6701b13097dc387
Analysis status DONE
Considered CTI value 1
Text language
Published Jan. 12, 2021, 1:10 p.m.
Added to db Jan. 18, 2023, 11:29 p.m.
Last updated Nov. 17, 2024, 12:55 p.m.
Headline Breaking The Browser – A tale of IPC, credentials and backdoors
Title Breaking The Browser - A tale of IPC, credentials and backdoors - MDSec
Detected Hints/Tags/Attributes 62/1/14
Source URLs
Redirection Url
Details Source https://www.mdsec.co.uk/2021/01/breaking-the-browser-a-tale-of-ipc-credentials-and-backdoors/
URL Provider
Details Provider Source level domain
Details mdsec.co.uk www.mdsec.co.uk
Attributes
Details Type #Events CTI Value
Details Domain 2 
account.google.com
Details Domain 2 
hunt.py
Details Domain 36 
login.live.com
Details Domain 1 
plugins.py
Details Domain 2 
asdf.com
Details Domain 54 
re.search
Details Email 1 
asdf@asdf.com
Details File 18 
chrome.dll
Details File 2 
hunt.py
Details File 1 
plugins.py
Details File 83 
crypt32.dll
Details File 271 
chrome.exe
Details Url 1 
https://account.google.com
Details Yara rule 1 
rule outlook_creds {
	meta:
		author = "@_batsec_"
		plugin = "outlook_parse"
	strings:
		$str1 = "login.live.com"
		$str2 = "login="
		$str3 = "hisScaleUnit="
		$str4 = "passwd="
	condition:
		all of them
}