Infostealer Malwares Bypassing Chrome’s Cookie Protection to Steal Data

Multiple infostealer malware families have developed new techniques to circumvent Google Chrome’s Application-Bound Encryption security feature, which was introduced in July 2024 to protect stored cookies and user data.

This sophisticated security measure, Application-Bound Encryption, was launched in July 2024 with Chrome version 127 to enhance the security of stored cookies on Windows systems.

Application-bound encryption was designed to address vulnerabilities in the previous Windows Data Protection API (DPAPI) encryption method. However, malware developers have quickly adapted, developing new bypass techniques to maintain their ability to steal sensitive user data.

Elastic Security Labs observed several notorious malware families, including STEALC/VIDAR, METASTEALER, PHEMEDRONE, XENOSTEALER, and LUMMA, have implemented sophisticated bypass methods to continue stealing sensitive browser data.

Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar

These malware variants are using various techniques such as remote debugging, memory reading of Chrome processes, and system token manipulation.

Prominent Steals Bypassing Cookie Protection

STEALC/VIDAR has integrated components from the offensive security tool ChromeKatz, allowing it to scan and terminate Chrome processes before extracting unencrypted cookie values from the browser’s memory.

METASTEALER employs a different approach by impersonating the SYSTEM token and leveraging Chrome’s elevation service through COM interfaces to decrypt protected data. Despite claims of working without administrator privileges, testing has revealed that elevated access is required.

PHEMEDRONE utilizes Chrome’s remote debugging capabilities, establishing connections through the browser’s DevTools Protocol to extract cookies. The malware operates stealthily by positioning Chrome windows off-screen to avoid detection.

The emergence of these bypass techniques represents a significant challenge to browser security. While Google’s Application-Bound Encryption has successfully forced malware authors to adopt more sophisticated and detectable methods, it hasn’t completely stopped the threat, reads the report.

Security experts recommend monitoring for several suspicious behaviors:

• Unusual processes accessing browser cookies
• Multiple Chrome process terminations followed by elevation service activation
• Browser debugging from unexpected parent processes
• Unsigned executables running from Chrome application folders.

The security community is actively tracking these developments. Researchers note that while these new techniques may be successful, they generate more detectable patterns than security tools can identify.

Organizations are advised to maintain robust endpoint monitoring and security instrumentation to detect these evolving threats.

The ongoing battle between security measures and malware developers highlights the need for continuous innovation in browser security.

While Google’s protection mechanisms have raised the bar for attackers, the rapid adaptation of malware families demonstrates the persistent nature of this security challenge.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!