
A walkthrough the AcridRain password stealer - _cacao
https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/
======
pragmatick
> The group of actors is composed of 2 sellers, and 1 developer

I'm wondering what that costs and how it works. Do you send them bitcoin or
whatever and they send you a binary or what? How much do you pay for it? Never
really found a proper explanation how that stuff works, especially when you
read about 0-day exploits.

~~~
pietroglyph
The article says that there's a web interface (on the open internet) where you
can register and login. This interface allows you to download a build of the
malware (with your customer ID embedded in the binary, presumably). The
malware sends the stolen data to the server, with the customer ID, and it
shows up on that customer's dashboard for them to download. The article
doesn't say how payment works, but it's a safe bet to say that they take
cryptocurrency. It all seems quite seamless, which makes me wonder how many
customers they have, and how popular it is to set up shop stealing information
with other people's software.

~~~
laurencei
...sounds like a "SaaS for Malware"? Turn key hosted malware?

~~~
DarkStar851
More common than you think, a lot of RAT malware uses an online panel too.
Often self-hosted but I've seen a few solutions that host it for you.

I remember some sellers were offering turnkey modified ZeuS back in the day.

------
chime
Scary about .pfx on Desktop. Working with an IT vendor for a recent Windows
software deployment, I noticed their techs kept saving .pfx, .pem/.crt etc.
files to the Desktop directly from browser. Until I read this, I thought I was
just being paranoid about deleting these files after the techs were done.

~~~
tetha
I guess I'm paranoid, too. I've even been pondering to setup ~/pocket-
dimension as a small ramdisk.

If I store production keys or certificates on my usual ext4 filesystem, all
changes are written to the ext4 journal. Thus deleting the files technically
isn't enough - even with shred. A ramdisk would avoid this issue and would
automatically wipe itself on shutdown.

------
DarkStar851
I made basically the Chrome component of this in .NET a while ago to steal
cookies for use in another application, it was scarily easy. Just decrypt the
SQLite data with the current user session (there's WinAPI for this, and
functions in .NET framework).

It took me at most 20 minutes to implement, while just for cookies, the
passwords would be equally trivial.

------
vadansky
>The password is encrypted using CryptProtectData so to get the plain text it
uses the function CryptUnprotectData.

How does that work? Doesn’t it need the admin password, or are Chrome
credentials just sitting around in a really easy to decrypt format?

~~~
kevindqc
> The CryptProtectData function performs encryption on the data in a DATA_BLOB
> structure. Typically, only a user with the same logon credential as the user
> who encrypted the data can decrypt the data. In addition, the encryption and
> decryption usually must be done on the same computer. For information about
> exceptions, see Remarks.

[https://docs.microsoft.com/en-
us/windows/desktop/api/dpapi/n...](https://docs.microsoft.com/en-
us/windows/desktop/api/dpapi/nf-dpapi-cryptprotectdata)

If you can execute code on the computer (as the user), you can decrypt the
credentials.

Scary how easy it is to steal it all :(

~~~
carterage
So... fundamentally, encrypting data on the very same machine that retains the
related keys, is tantamount to simply encoding the data in plaintext form
without any real protection, yes?

~~~
buckminster
It's slightly better than that. You can't decrypt the data when the user isn't
logged in.

------
thewizardofaus
Awesome! :)

