Keypoints
- Infostealers target stored browser credentials from Chromium-based browsers, Firefox, IE, Opera, and Naver Whale by reading and decrypting configuration/data files.
- AgentTesla and similar families are commonly distributed via spam and may exfiltrate data over SMTP, FTP, or Telegram API.
- Malware authors often obfuscate or inject Infostealer code into legitimate processes (example: injection into MSBuild.exe) to evade file‑based detection.
- APT groups (e.g., Andariel) also develop custom Infostealers that perform the same credential‑harvesting behaviors and send results via backdoors/C2 channels.
- Stolen browser credentials are leveraged for lateral movement and persistence within victim networks, increasing overall attack impact.
- AhnLab EDR detects suspicious credential‑access behaviors from web browsers and flags them using behavioral detections (CredentialAccess/MDP.WebBrowser.M11628, M11633).
MITRE Techniques
- [T1555.003] Credentials from Web Browsers – Reads and decrypts browser configuration/data files to extract saved account credentials (‘Infostealers usually read data files from the path containing configuration data to find account credentials.’).
- [T1055] Process Injection – Malware injects into legitimate processes to execute credential theft stealthily (‘AgentTesla was detected extorting account credentials … after being injected into MSBuild.exe, a normal process.’).
- [T1566] Phishing – Distribution of Infostealers via spam email to deliver malware to targets (‘AgentTesla is an Infostealer usually distributed via spam mail.’).
- [T1041] Exfiltration Over C2 Channel – Extracted data is sent to C2 using channels such as SMTP, FTP, or Telegram API (‘The collected data is then exfiltrated to the C&C server via SMTP, FTP, or Telegram API’).
- [T1078] Valid Accounts – Stolen credentials are used to enable lateral movement and access within target environments (‘the data can be used for lateral movement to take control over the organization’s internal network.’).
Indicators of Compromise
- [File/Process names] Host/process used for injection – MSBuild.exe (used as a legitimate host process for injected AgentTesla activity).
- [Malware families] Malware samples or families observed – AgentTesla, Lokibot, SnakeKeylogger, RedLine, Andariel’s Infostealer (examples of infostealers referenced in detection and analysis).
- [Exfiltration channels] Communication/exfiltration methods – SMTP, FTP, Telegram API (channels used to send stolen credentials to C2 servers).
- [Affected applications] Targeted browser software – Google Chrome, Microsoft Edge, Firefox, Internet Explorer, Opera, Naver Whale (browsers from which credentials were harvested).
Infostealers operate by locating browser profile and configuration files (Chrome/Chromium-based, Edge, Firefox, IE, Opera, Naver Whale), reading the files that store saved logins, and applying the browser-specific decryption routines to recover plaintext credentials. Distribution commonly occurs via spam/phishing campaigns or trojanized installers; some operators use backdoors to retrieve command-line output, while popular families (AgentTesla, RedLine, Lokibot) also exfiltrate harvested data directly to C2 endpoints over SMTP, FTP, or messaging APIs like Telegram.
To evade detection, attackers often obfuscate payloads or inject code into legitimate Windows processes (example: MSBuild.exe) so credential‑harvesting routines run under a trusted binary. The technical behavior to monitor includes file reads of browser data stores, calls to browser crypto/decryption APIs or local OS key stores, process injection indicators, and outbound connections to mail/file transfer services or API endpoints associated with C2.
Detection should combine behavioral EDR rules that flag credential access from browsers (as AhnLab EDR does with CredentialAccess/MDP.WebBrowser.M11628 and M11633) with monitoring for process injection, unusual child processes of developer tools/legitimate binaries, and anomalous exfiltration patterns (SMTP/FTP/API). Remediation includes isolating affected hosts, collecting forensic artifacts (browser profile files, process memory, network logs), rotating exposed credentials, and applying least‑privilege and browser hardening to reduce credential exposure.
Read more: https://asec.ahnlab.com/en/63174/