Hacker News new | past | comments | ask | show | jobs | submit login
A walkthrough the AcridRain password stealer (stormshield.com)
77 points by _cacao 5 months ago | hide | past | web | favorite | 14 comments

> The group of actors is composed of 2 sellers, and 1 developer

I'm wondering what that costs and how it works. Do you send them bitcoin or whatever and they send you a binary or what? How much do you pay for it? Never really found a proper explanation how that stuff works, especially when you read about 0-day exploits.

The article says that there's a web interface (on the open internet) where you can register and login. This interface allows you to download a build of the malware (with your customer ID embedded in the binary, presumably). The malware sends the stolen data to the server, with the customer ID, and it shows up on that customer's dashboard for them to download. The article doesn't say how payment works, but it's a safe bet to say that they take cryptocurrency. It all seems quite seamless, which makes me wonder how many customers they have, and how popular it is to set up shop stealing information with other people's software.

...sounds like a "SaaS for Malware"? Turn key hosted malware?

More common than you think, a lot of RAT malware uses an online panel too. Often self-hosted but I've seen a few solutions that host it for you.

I remember some sellers were offering turnkey modified ZeuS back in the day.

Scary about .pfx on Desktop. Working with an IT vendor for a recent Windows software deployment, I noticed their techs kept saving .pfx, .pem/.crt etc. files to the Desktop directly from browser. Until I read this, I thought I was just being paranoid about deleting these files after the techs were done.

I guess I'm paranoid, too. I've even been pondering to setup ~/pocket-dimension as a small ramdisk.

If I store production keys or certificates on my usual ext4 filesystem, all changes are written to the ext4 journal. Thus deleting the files technically isn't enough - even with shred. A ramdisk would avoid this issue and would automatically wipe itself on shutdown.

I made basically the Chrome component of this in .NET a while ago to steal cookies for use in another application, it was scarily easy. Just decrypt the SQLite data with the current user session (there's WinAPI for this, and functions in .NET framework).

It took me at most 20 minutes to implement, while just for cookies, the passwords would be equally trivial.

>The password is encrypted using CryptProtectData so to get the plain text it uses the function CryptUnprotectData.

How does that work? Doesn’t it need the admin password, or are Chrome credentials just sitting around in a really easy to decrypt format?

> The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer. For information about exceptions, see Remarks.


If you can execute code on the computer (as the user), you can decrypt the credentials.

Scary how easy it is to steal it all :(

So... fundamentally, encrypting data on the very same machine that retains the related keys, is tantamount to simply encoding the data in plaintext form without any real protection, yes?

It's slightly better than that. You can't decrypt the data when the user isn't logged in.

bah, if one can install a password stealing program, then he can as well install a key logger. With both of those, you become virtually transparent.

> If you can execute code on the computer (as the user), you can decrypt the credentials.

The problem is that programs gain too much privileges they do not need (yet) without consent from the user.

This kind of attack wouldn't work on Qubes OS, a well configured SELinux, or a well configured capability-based OS.

Awesome! :)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact