VoidStealer, a new information stealer-as-a-service, has introduced a novel technique to bypass Google Chrome's Application-Bound Encryption (ABE). By utilizing hardware breakpoints, the malware extracts the plaintext v20_master_key directly from the browser's memory during startup. This approach allows threat actors to decrypt sensitive data like cookies and credentials without requiring administrative privileges or performing complex code injection.
Researchers at Gen Digital discovered that the malware attaches itself as a debugger to a suspended browser process and monitors for specific instructions in the browser's DLL files. This mechanism appears to be adapted from an open-source project called ElevationKatz. Despite Google's efforts to harden browser security with the release of Chrome 127, VoidStealer demonstrates the continuing evolution of infostealers in bypassing modern cryptographic protections.
Top comments (0)