logo

Infostealer malware bypasses Chrome’s new cookie-theft defenses

Infostealer malware bypasses Chrome’s new cookie-theft defenses

Infostealer malware developers released updates claiming to bypass Google Chrome’s recently introduced feature App-Bound Encryption to protect sensitive data such as cookies.

App-Bound Encryption was introduced in Chrome 127 and is designed to encrypt cookies and stored passwords using a Windows service that runs with system privileges.

This model does not allow infostealer malware, which runs with the permissions of the logged user, to steal secrets stored in Chrome browser.

To bypass this protection, the malware would need system privileges or to inject code into Chrome, both noisy actions that are likely to trigger warnings from security tools, said Will Harris of the Chrome security team. 

However, security researchers g0njxa and also RussianPanda9xx obseerved multiple infostealer developers boasting that they have implemented a working bypass for their tools (MeduzaStealer, Whitesnake, Lumma Stealer, Lumar (PovertyStealer), Vidar Stealer, StealC).

Whitesnake stealer grabbing cookies from Chrome 128
Whitesnake stealer grabbing cookies from Chrome 128Source: @g0njxa

It appears that at least some of the claims are real, as g0njxa confirmed for BleepingComputer that the latest variant of Lumma Stealer can bypass the encryption feature in Chrome 129, the currently the most recent version of the browser.

Extracted cookies from Chrome 129, using latest Lumma
Extracted cookies from Chrome 129, using latest LummaSource: @g0njxa

The researcher tested the malware on a Windows 10 Pro system in a sandbox environment.

In terms of timing, Meduza, and WhiteSnake implemented their bypassing mechanisms over two weeks ago, Lumma last week, and Vidar and StealC this week.

Lumar initially responded to App-Bound Encryption by implementing a temporary solution that required launching the malware with admin rights, but followed with a bypass mechanism that works with the privileges of the logged-in user.

The developers of Lumma Stealer assured its customer that they don't need to execute the malware with admin privileges for the cookie theft to work.

“Added a new method of collecting Chrome cookies. The new method does not require admin rights and/or restart, which simplifies the crypt build and reduces the chances of detection, and thus increase the knock rate.” – developers of Lumma Stealer

How exactly the bypass of App-Bound Encryption is achieved remains undisclosed, but the authors of Rhadamanthys malware commented that it took them 10 minutes to reverse the encryption.

BleepingComputer contacted the tech giant for a comment about the malware developer's response to App-Bound Encryption in Chrome but we are still waiting for a reply.

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

U.S. govt agency CMS says data breach impacted 3.1 million people

Free security scan for your website

Top News:

Truist Bank confirms breach after stolen data shows up on hacking forum

Truist Bank confirms breach after stolen data shows up on hacking forum

 June 14, 2024
Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

 October 30, 2024
Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)

Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)

 November 4, 2024
Microsoft SharePoint RCE bug exploited to breach corporate network

Microsoft SharePoint RCE bug exploited to breach corporate network

 November 2, 2024
Google patches actively exploited Android vulnerability (CVE-2024-43093)

Google patches actively exploited Android vulnerability (CVE-2024-43093)

 November 5, 2024
VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

 November 7, 2024