Description
Security researchers have identified a new information-stealing malware known as VoidStealer, which uses a novel technique to bypass browser security protections and extract sensitive data from Chromium-based browsers.
The malware targets the master encryption key used by browsers to protect sensitive data such as cookies, login credentials, and session tokens. By stealing this key, attackers can decrypt and access stored browser secrets.
VoidStealer bypasses a security feature called Application-Bound Encryption (ABE) introduced in Google Chrome in 2024 to protect browser data. Researchers note that this is the first time an infostealer has been observed using a debugger-based technique in real-world attacks to defeat this protection mechanism.
Attack Details
VoidStealer uses advanced debugging techniques to retrieve encryption keys directly from browser memory during runtime.
Key characteristics include:
- Targeted browsers: The malware targets Chromium-based browsers such as Google Chrome and Microsoft Edge.
- ABE security bypass: Chrome’s Application-Bound Encryption keeps the master key encrypted on disk and only decrypts it briefly in memory during browser operations.
- Debugger-based extraction: VoidStealer attaches itself to the browser process as a debugger and sets hardware breakpoints to capture the encryption key when it briefly appears in plaintext during decryption operations.
- Stealthy execution: The technique does not require privilege escalation or code injection, making it more difficult for traditional security tools to detect.
- Browser startup exploitation: The malware waits for the browser to decrypt protected data (such as cookies) during startup, then reads the memory location containing the master key using debugging functions.
- Malware-as-a-Service (MaaS): VoidStealer is reportedly marketed on cybercrime forums and actively developed, with new versions introducing improved techniques for bypassing browser security mechanisms.
Once attackers obtain the master key, they can decrypt stored browser data, enabling credential theft, session hijacking, and unauthorized access to online services.
Remediation
Organizations and users should implement the following security measures to mitigate risks associated with information-stealing malware:
- Maintain updated browsers: Ensure Google Chrome, Microsoft Edge, and other browsers are updated with the latest security patches.
- Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious debugging activity or unauthorized memory access to browser processes.
- Monitor process activity: Detect unusual debugger attachments or suspicious interactions with browser processes such as chrome.exe or msedge.exe.
- Restrict unauthorized software: Implement application allow-listing policies to prevent untrusted software from executing on enterprise systems.
- Credential hygiene: Encourage users to avoid storing sensitive credentials in browsers where possible and use secure password managers instead.
- User awareness: Educate users about malware delivered through phishing emails, malicious downloads, and fake software installers.
- Incident response: If infection is suspected, isolate affected systems, reset compromised credentials, clear browser stored data, and conduct a full malware scan.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: VoidStealer Malware Steals Chrome Master Key via Debugger Trick
References