Lumma Stealer has evolved its execution chain to bypass Google Chrome's App-Bound Encryption (ABE) by transitioning from offline file decryption to "living-off-the-browser" techniques. By utilizing Asynchronous Procedure Call (APC) and Remote Thread Injection into chrome.exe, or leveraging malicious Chrome extensions, the malware forces the legitimate browser process to decrypt sensitive data using its own internal APIs. This allows attackers to exfiltrate session cookies and non-custodial cryptocurrency wallet seeds, effectively neutralizing ABE and enabling MFA bypass via session hijacking. Impact is concentrated on high-value digital assets and corporate account access via SEO poisoning and malvertising delivery vectors.
-
Attack Vector & Delivery Mechanics
- Utilizes high-velocity SEO poisoning and malvertising campaigns to distribute initial payloads to unsuspecting users.
- Employs dynamic C2 domain generation algorithms (DGA) to evade network-level detection and static blocklists.
- Leverages standard HTTP/HTTPS protocols for the stealthy exfiltration of stolen browser data to attacker-controlled infrastructure.
-
Bypass Mechanics: Defeating App-Bound Encryption
- Shifts from static decryption of the 'Local State' file to dynamic process injection to circumvent ABE boundaries.
- Implements APC and Remote Thread Injection to execute malicious code within the trusted context of the
chrome.exeprocess. - Abuses internal Chrome decryption APIs, forcing the browser to perform the decryption of secrets on the malware's behalf.
-
Targeted Assets & Impact
- Extracts session tokens from Cookies and Login Data databases, enabling account takeover and bypassing Multi-Factor Authentication (MFA).
- Targets the local storage of cryptocurrency wallet extensions, specifically aiming for MetaMask seeds and private keys.
- Results in direct financial loss through the automated draining of non-custodial digital wallets.
-
Threat Actor Profile & Evolution
- Operates as a 'Stealer-as-a-Service' (SaaS) model, providing high-efficiency tools to a wide network of affiliates.
- Demonstrates rapid technical agility, updating its codebase almost immediately following the release of browser security patches.
- Focuses on high-value targets by integrating adaptive evasion techniques to maintain viability against modern EDR and OS protections.
-
Defensive Considerations & Mitigation
- Monitor for unauthorized remote thread injection and anomalous APC calls targeting the
chrome.exeprocess. - Implement strict endpoint detection and response (EDR) rules to flag unusual behavior within browser child processes.
- Audit installed Chrome extensions for unauthorized manifests, excessive permissions, or unsigned origins.
- Monitor for unauthorized remote thread injection and anomalous APC calls targeting the
Related posts
- Malpedia
- Csa
- Darktrace
- Checkpoint
- Eset
- Bloo
- Microsoft
- Manageengine
- gbhackers.com — Vidar Infostealer Bypasses Google Chrome’s ABE Encryption via APC Injection
- Microsoft Security Blog — StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
- Spycloud
- Thecyberwire
- Connectwise
- Gendigital
- Techradar
- Cyberinsider
- Gendigital
- Cyberpress
- Hhs
- Darkreading
- Redcanary