Google Chrome Introduces Application-Bound Encryption for Security
/ 4 min read
Quick take - Google Chrome version 127 has introduced application-bound encryption (ABE) to enhance security against credential access attacks targeting cookies, but malware developers have begun adapting their techniques to circumvent this feature, prompting organizations to update their browsers and audit settings to maintain protection against cookie theft.
Fast Facts
- Google Chrome version 127 introduces application-bound encryption (ABE) to protect against credential access attacks targeting cookies.
- ABE verifies that only Google Chrome can access cookies, preventing malicious software from stealing sensitive information.
- Malware developers have adapted by creating techniques to bypass ABE, including remote debugging and memory dumping.
- Notable malware families like Stealc, Vidar, and Meduza have been observed using these methods to circumvent ABE.
- Organizations are advised to update browsers and audit settings to ensure ABE is enabled, enhancing defenses against cookie theft.
Google Chrome Version 127 Introduces Application-Bound Encryption
New Security Feature
Google Chrome version 127 has introduced a significant security feature known as application-bound encryption (ABE). This feature is aimed at protecting users from credential access attacks targeting cookies. ABE functions by verifying that the application attempting to access cookies is indeed Google Chrome, which prevents malicious software from stealing sensitive information. Notably, this feature is not exclusive to Google Chrome; it has been implemented across the broader Chromium browser ecosystem, including other browsers such as Microsoft Edge.
Malware Adaptation
The introduction of ABE has prompted malware developers to adapt, creating new methods to circumvent this security enhancement. Several malware families have already developed techniques to bypass ABE, including Stealc, Vidar, LummaC2, and Meduza. One method employed by some malware is remote debugging, which involves spawning a new instance of a Chromium browser using specific command-line flags designed for cookie recovery. This technique allows adversaries to keep the new browser window hidden from the user while providing potential detection opportunities for endpoint sensors. Notable malware utilizing this technique includes Remcos RAT and Cryptbot, with Cryptbot using a unique flag within the Windows API’s CreateProcess function to enhance its stealth.
Evolving Threat Landscape
Another prevalent method involves dumping cookies from memory, which entails accessing the memory space of a Chromium browser to retrieve cookies. This approach has been confirmed in some versions of Stealc, Vidar, and Lumma and is particularly challenging to detect because it does not generate telemetry visible to endpoint sensors. Successfully executing this technique requires precise knowledge of memory offset addresses, which can differ between various versions of Chromium. Additionally, malware such as Stealc and Vidar have experimented with remote debugging alongside other methods.
Other techniques, such as COM manipulation and path verification, allow stealers to access Chromium cookies by interfacing with the elevated Chromium service. Research has indicated that Metastealer samples exhibit this behavior, and Meduza Stealer may also leverage similar methods against newer versions of Chromium. Some malware has been reported to implement a policy-based solution to disable application-bound encryption by modifying Windows Registry keys, which necessitates administrator-level privileges and impacts all users on the affected system.
Google Chrome and Microsoft Edge versions released after v127 have ABE enabled by default. In light of these evolving malware techniques, organizations are advised to update their web browsers to the latest versions to bolster their defenses against cookie theft. Conducting audits of settings to determine if application-bound encryption has been disabled can be done by querying specific registry keys. If these registry values indicate that ABE is enabled, it provides an additional layer of security against potential cookie theft.
While the emergence of new malware techniques capable of bypassing application-bound encryption presents challenges, it does not diminish existing detection capabilities for known stealing malware. Organizations and users must remain vigilant and proactive in updating their security measures to safeguard their online credentials.
Original Source: Read the Full Article Here
