Infostealer malware bypasses Chrome’s new cookie-theft defenses
Infostealer malware developers released updates claiming to bypass Google Chrome’s recently introduced feature App-Bound Encryption to protect sensitive data such as cookies.
App-Bound Encryption was introduced in Chrome 127 and is designed to encrypt cookies and stored passwords using a Windows service that runs with system privileges.
This model does not allow infostealer malware, which runs with the permissions of the logged user, to steal secrets stored in Chrome browser.
To bypass this protection, the malware would need system privileges or to inject code into Chrome, both noisy actions that are likely to trigger warnings from security tools, said Will Harris of the Chrome security team.
However, security researchers g0njxa and also RussianPanda9xx obseerved multiple infostealer developers boasting that they have implemented a working bypass for their tools (MeduzaStealer, Whitesnake, Lumma Stealer, Lumar (PovertyStealer), Vidar Stealer, StealC).
It appears that at least some of the claims are real, as g0njxa confirmed for BleepingComputer that the latest variant of Lumma Stealer can bypass the encryption feature in Chrome 129, the currently the most recent version of the browser.
The researcher tested the malware on a Windows 10 Pro system in a sandbox environment.
In terms of timing, Meduza, and WhiteSnake implemented their bypassing mechanisms over two weeks ago, Lumma last week, and Vidar and StealC this week.
Lumar initially responded to App-Bound Encryption by implementing a temporary solution that required launching the malware with admin rights, but followed with a bypass mechanism that works with the privileges of the logged-in user.
The developers of Lumma Stealer assured its customer that they don't need to execute the malware with admin privileges for the cookie theft to work.
How exactly the bypass of App-Bound Encryption is achieved remains undisclosed, but the authors of Rhadamanthys malware commented that it took them 10 minutes to reverse the encryption.
BleepingComputer contacted the tech giant for a comment about the malware developer's response to App-Bound Encryption in Chrome but we are still waiting for a reply.
source: BleepingComputer
Free security scan for your website
Top News:
Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
November 12, 2024Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024