VoidStealer, a Malware-as-a-Service (MaaS) platform, has introduced a novel technique to bypass Google Chrome's Application-Bound Encryption (ABE). By utilizing hardware breakpoints and a debugger-based approach, the malware extracts the v20_master_key directly from browser memory during the decryption process. This method allows the stealer to access sensitive data like cookies without requiring privilege escalation or code injection.
Researchers from Gen Digital identified VoidStealer as the first infostealer in the wild to adopt this specific mechanism. The technique targets the brief window during browser startup when the master key is decrypted into plaintext. This bypass appears to be an adaptation of the open-source tool ElevationKatz, highlighting how threat actors are increasingly weaponizing research tools to circumvent modern browser security enhancements.
Top comments (0)