Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Innovative security measures are powerless against the next generation of malware.
This summer, Google introduced new protection for Chrome and Edge browsers, called Application-Bound Encryption (ABE), to prevent the theft of cookies and login data. However, cybercriminals quickly found ways to bypass this protection, which led to a new wave of malware activity, as recently reported by Red Canary experts.
Several popular infostealers, such as Stealc, Vidar, LummaC2, and Meduza, have already adapted to the innovations. The main tactic is to use remote debugging of Chromium through browser startup options. Malware creates new hidden browser windows with access to cookies, which allows data to be extracted without attracting the user's attention. This method is also used in new versions of Remcos and Cryptbot.
Another approach is to use the memory of running processes. Using the ChromeKatz tool, attackers unload browser memory and extract cookies from it. This technique leaves no visible trace for antiviruses, but requires exact in-memory address matching, which makes it vulnerable to changes in Chromium versions.
Another method of circumvention is interaction with the COM interfaces of browsers. Some malware, such as Metastealer, uses this technique by placing their files in the same directory as Chrome to bypass built-in security checks.
Attackers also found a way to bypass ABE through the Windows registry. By changing the policy keys, they can disable protection for all users on the device. This requires administrator privileges, but judging by the findings on VirusTotal, this approach is already being actively used.
Despite the fact that the promising method of protection has shown very little resistance to hackers, security experts still recommend updating browsers to the latest versions, as they include built-in protection measures that prevent outdated attack methods.
In addition, disabling Application-Bound Encryption can be detected in the registry using the following system commands, depending on the browser you are using:
If the key value is 0, it indicates that protection is disabled.
It's important to understand that in a rapidly changing cyber threat landscape, built-in browser security measures alone are no longer enough. Companies should actively use advanced defenses, such as threat detection systems and behavioral analysis, as well as regularly train employees on security issues. Even the most modern security technologies can be quickly hacked if experienced and motivated attackers are behind it.
The confrontation between security developers and cybercriminals is not a static process, but a constant arms race, where those who adapt faster to new challenges win. It's important to always stay one step ahead and not rely on basic security measures alone.
Source
This summer, Google introduced new protection for Chrome and Edge browsers, called Application-Bound Encryption (ABE), to prevent the theft of cookies and login data. However, cybercriminals quickly found ways to bypass this protection, which led to a new wave of malware activity, as recently reported by Red Canary experts.
Several popular infostealers, such as Stealc, Vidar, LummaC2, and Meduza, have already adapted to the innovations. The main tactic is to use remote debugging of Chromium through browser startup options. Malware creates new hidden browser windows with access to cookies, which allows data to be extracted without attracting the user's attention. This method is also used in new versions of Remcos and Cryptbot.
Another approach is to use the memory of running processes. Using the ChromeKatz tool, attackers unload browser memory and extract cookies from it. This technique leaves no visible trace for antiviruses, but requires exact in-memory address matching, which makes it vulnerable to changes in Chromium versions.
Another method of circumvention is interaction with the COM interfaces of browsers. Some malware, such as Metastealer, uses this technique by placing their files in the same directory as Chrome to bypass built-in security checks.
Attackers also found a way to bypass ABE through the Windows registry. By changing the policy keys, they can disable protection for all users on the device. This requires administrator privileges, but judging by the findings on VirusTotal, this approach is already being actively used.
Despite the fact that the promising method of protection has shown very little resistance to hackers, security experts still recommend updating browsers to the latest versions, as they include built-in protection measures that prevent outdated attack methods.
In addition, disabling Application-Bound Encryption can be detected in the registry using the following system commands, depending on the browser you are using:
- reg.exe query HKLM\Software\Policies\Google\Chrome /v ApplicationBoundEncryptionEnabled
- reg.exe query HKLM\Software\Policies\Microsoft\Edge /v ApplicationBoundEncryptionEnabled
If the key value is 0, it indicates that protection is disabled.
It's important to understand that in a rapidly changing cyber threat landscape, built-in browser security measures alone are no longer enough. Companies should actively use advanced defenses, such as threat detection systems and behavioral analysis, as well as regularly train employees on security issues. Even the most modern security technologies can be quickly hacked if experienced and motivated attackers are behind it.
The confrontation between security developers and cybercriminals is not a static process, but a constant arms race, where those who adapt faster to new challenges win. It's important to always stay one step ahead and not rely on basic security measures alone.
Source
