The developers behind popular infostealers like Vidar, Lumma, and Stealc have claimed that they can now bypass Chrome's recently introduced App-Bound Encryption, designed to protect cookies and other sensitive data.
This feature, introduced in Chrome version 127 in mid-July, was designed to encrypt cookies, limiting access to processes running with admin privileges. The update disrupted the operations of infostealers for a short time, but it seems that malware creators have adapted their tools to circumvent this security measure.
Infostealers are types of malware designed to collect sensitive data like browser cookies, passwords, and session tokens from infected computers. With Chrome's App-Bound Encryption, Google aimed to prevent such malware from accessing authentication cookies by encrypting them at the process level.
Chrome's cookies were locked behind admin-level privileges, making it difficult for malware running under standard user accounts to retrieve them. This security upgrade was a significant move to mitigate ransomware attacks and other cybercrime fueled by stolen authentication data.
However, updates shared across underground forums by infostealer developers suggest that they have found ways around this obstacle. The first project to introduce an effective bypassing mechanism was Lumma on September 12, pushing the update to all “customers” on September 18.
Vidar's 11.0 update proudly declared, “Google is defeated,” stating that they can now easily extract cookies from all user profiles in Chrome following a major overhaul of their software. The update involved adapting to recent Chrome changes, preparing for upcoming versions, and maintaining the ease of encrypting data to evade detection. Vidar is one of the more popular infostealers sold in the underground market and is often used in ransomware attack chains.
Stealc, another prominent infostealer, released version 1.10.1, highlighting similar capabilities. The malware's developers announced the addition of cookie collection for Chrome versions 128 and newer, bypassing admin-rights elevation and continuing to offer support for stealing cookies from incognito tabs.
Whack-a-mole
The infostealer market has grown rapidly in recent years, with malware developers continuously adapting to security measures introduced by software giants like Google. Google's introduction of App-Bound Encryption aimed to add an extra layer of defense, forcing malware to either inject code directly into Chrome processes or escalate privileges to gain admin access. This increased the chances of detection by security software.
When App-Bound Encryption was first introduced, Google acknowledged that the feature wouldn't be foolproof but would help detect malware more easily by making it harder to access sensitive data without raising suspicion. As more attacks rely on these techniques to infiltrate corporate networks and personal accounts, the stakes are higher than ever.
For users and organizations concerned about these announced security bypasses, there are several steps that can be taken to mitigate risks, including:
- Using multi-factor authentication (MFA): Even if session cookies are stolen, MFA can prevent unauthorized access to accounts by requiring a second verification step.
- Employing up-to-date security tools: Ensure endpoint protection solutions are regularly updated to detect the latest infostealer strains.
- Restricting admin privileges: Limit the number of users with admin-level access to reduce the chances of malware elevating privileges.
- Monitoring event logs: Chrome generates event logs for cookie decryption activities. Monitoring these logs can help detect unauthorized access attempts.
- Regularly clearing cookies and session data: Periodically deleting cookies can reduce the amount of sensitive data that infostealers can collect.
Update: Google responded to CyberInsider's request for a comment with the below statement:
We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observables technique such as injection or memory scraping. This matches the new behavior we have seen. We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.
Google spokesperson
Leave a Reply