← Back to Daily Briefing

Lumma Stealer has evolved its execution chain to bypass Google Chrome's App-Bound Encryption (ABE) by transitioning from offline file decryption to "living-off-the-browser" techniques. By utilizing Asynchronous Procedure Call (APC) and Remote Thread Injection into chrome.exe, or leveraging malicious Chrome extensions, the malware forces the legitimate browser process to decrypt sensitive data using its own internal APIs. This allows attackers to exfiltrate session cookies and non-custodial cryptocurrency wallet seeds, effectively neutralizing ABE and enabling MFA bypass via session hijacking. Impact is concentrated on high-value digital assets and corporate account access via SEO poisoning and malvertising delivery vectors.

  • Attack Vector & Delivery Mechanics

    • Utilizes high-velocity SEO poisoning and malvertising campaigns to distribute initial payloads to unsuspecting users.
    • Employs dynamic C2 domain generation algorithms (DGA) to evade network-level detection and static blocklists.
    • Leverages standard HTTP/HTTPS protocols for the stealthy exfiltration of stolen browser data to attacker-controlled infrastructure.
  • Bypass Mechanics: Defeating App-Bound Encryption

    • Shifts from static decryption of the 'Local State' file to dynamic process injection to circumvent ABE boundaries.
    • Implements APC and Remote Thread Injection to execute malicious code within the trusted context of the chrome.exe process.
    • Abuses internal Chrome decryption APIs, forcing the browser to perform the decryption of secrets on the malware's behalf.
  • Targeted Assets & Impact

    • Extracts session tokens from Cookies and Login Data databases, enabling account takeover and bypassing Multi-Factor Authentication (MFA).
    • Targets the local storage of cryptocurrency wallet extensions, specifically aiming for MetaMask seeds and private keys.
    • Results in direct financial loss through the automated draining of non-custodial digital wallets.
  • Threat Actor Profile & Evolution

    • Operates as a 'Stealer-as-a-Service' (SaaS) model, providing high-efficiency tools to a wide network of affiliates.
    • Demonstrates rapid technical agility, updating its codebase almost immediately following the release of browser security patches.
    • Focuses on high-value targets by integrating adaptive evasion techniques to maintain viability against modern EDR and OS protections.
  • Defensive Considerations & Mitigation

    • Monitor for unauthorized remote thread injection and anomalous APC calls targeting the chrome.exe process.
    • Implement strict endpoint detection and response (EDR) rules to flag unusual behavior within browser child processes.
    • Audit installed Chrome extensions for unauthorized manifests, excessive permissions, or unsigned origins.

Related posts

  1. Malpedia
  2. Csa
  3. Darktrace
  4. Checkpoint
  5. Eset
  6. Bloo
  7. Microsoft
  8. Manageengine
  9. gbhackers.com — Vidar Infostealer Bypasses Google Chrome’s ABE Encryption via APC Injection
  10. Microsoft Security Blog — StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
  11. Spycloud
  12. Thecyberwire
  13. Connectwise
  14. Gendigital
  15. Techradar
  16. Cyberinsider
  17. Gendigital
  18. Cyberpress
  19. Hhs
  20. Darkreading
  21. Redcanary

LINK COPIED TO CLIPBOARD