The attack that Sophos researchers analyzed started with Qilin gaining access to a network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
The breach was followed by 18 days of dormancy, suggesting the possibility of Qilin buying their way into the network from an initial access broker (IAB).
Possibly, Qilin spent time mapping the network, identifying critical assets, and conducting reconnaissance.
After the first 18 days, the attackers moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script (‘IPScanner.ps1’) on all machines logged into the domain network.
The script, executed by a batch script (‘logon.bat’) that was also included in the GPO, was designed to collect credentials stored in Google Chrome.
The batch script was configured to run (and trigger the PS script) every time a user logged into their machine, while stolen credentials were saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’
After sending the files to Qilin’s command and control (C2) server, the local copies and related event logs were wiped, to conceal the malicious activity. Eventually, Qilin deployed their ransomware payload and encrypted data on the compromised machines.
