Infostealer malware developers have released updates claiming to bypass Google Chrome’s recently introduced feature, App-Bound Encryption, which protects sensitive data like cookies and stored passwords. This encryption was introduced in Chrome 127 and runs with system privileges.
To bypass this protection, the malware would need system privileges or inject code into Chrome, both noisy actions that are likely to trigger warnings from security tools, said Will Harris of the Chrome security team.
However, security researchers g0njxa and RussianPanda9xx observed multiple infostealer developers boasting that they have implemented a working bypass for their tools. At least some of these claims appear to be real, as g0njxa confirmed that the latest variant of Lumma Stealer can bypass the encryption feature in Chrome 129.
The researchers tested the malware on a Windows 10 Pro system in a sandbox environment. The developers of Meduza and WhiteSnake implemented their bypassing mechanisms over two weeks ago, while Lumma did so last week, and Vidar and StealC this week.
Lumar initially responded to App-Bound Encryption by implementing a temporary solution that required launching the malware with admin rights, but followed with a bypass mechanism that works with the privileges of the logged-in user. The authors of Rhadamanthys malware commented that it took them 10 minutes to reverse the encryption.
A Google spokesperson stated, “We are aware of the disruption this new defense has caused to the infostealer landscape and expect this protection to cause a shift in attacker behavior to more observable techniques like injection or memory scraping. This matches the new behavior we have seen.”
Source: https://www.bleepingcomputer.com/news/security/infostealer-malware-bypasses-chromes-new-cookie-theft-defenses/