Malpedia • 1w
Lumma Stealer: Bypassing Google Chrome App-Bound Encryption for Crypto Theft
Lumma Stealer has evolved its execution chain to bypass Google Chrome's App-Bound Encryption (ABE) by transitioning from offline file decryption to "living-off-the-browser" techniques. By utilizing Asynchronous Procedure Call (APC) and Remote Thread Injection into chrome.exe, or leveraging malicious Chrome extensions, the malware forces the legitimate browser process to decrypt sensitive data using its own internal APIs. This allows attackers to exfiltrate session cookies and non-custodial cryptocurrency wallet seeds, effectively neutralizing ABE and enabling MFA bypass via session hijacking. Impact is concentrated on high-value digital assets and corporate account access via SEO poisoning and malvertising delivery vectors.