Researchers at cybersecurity firm Sophos have discovered a malicious piece of software called Qilin that steals sensitive data from the Google Chrome browser. The investigation details how a criminal group used previously compromised credentials to infiltrate the IT infrastructure of an unnamed organization.

Your Google Chrome data may be at risk!

The attackers gained access to the system using browser credentials belonging to a VPN portal that did not have multi-factor authentication (MFA) protection. Sophos noted that the initial breach was made by an Initial Access Broker (IAB) and passed on to the ransomware operators.

After remaining undetected on the system for 18 days, the attackers used the compromised credentials to gain access to a domain controller. The researchers noted that they also attacked other devices in the target organization’s Active Directory domain.

Qilin employs a double extortion attack, known as a classic ransomware operation. It first steals as much information as possible, then encrypts the compromised device and demands payment in exchange for a decryption key.

While investigating the Qilin ransomware breach, the Sophos X-Ops team discovered that attackers were bulk stealing credentials stored in Google Chrome browsers on other devices in the network, posing a threat not only to the target organization but potentially to a much broader impact.

The researchers emphasized that this technique is unusual and could further compound the confusion already present in ransomware cases. Qilin was initially found to collect credentials stored in Chrome browsers on machines connected to the same network as the compromised device.