VoidStealer Malware Slips Past Chrome's Defenses And Rips Credentials At Scale

It’s a never-ending game of cat and mouse between attackers and software makers, with the latest salvo being fired against one of Google Chrome’s key security features. Security researchers at Gen Threat Labs have discovered that a piece of malware, dubbed VoidStealer, is striking at the heart of how the browser keeps sensitive user data safe from prying eyes.

Google strengthened Chrome when it added Application-Bound Encryption (ABE) two years ago, which encrypts data such as passwords, persistent authentication tokens and payment data. This raises significant challenges for malicious actors looking to steal this precious data, including having to undertake actions such as obtaining system privileges or injecting code into Chrome. These actions are more likely to be detected, and potentially blocked, by antivirus software.

In the two years since the introduction of ABE, malware developers have devised several ways to bypass the security measure. While these techniques are effective, they usually behave in ways that are easier for defenders to spot. VoidStealer changes the equation by being able to operate more stealthily than other malware.


The method it deploys is based on a prior exploit, ElevationKatz, and manages to sidestep this security protection without being as “noisy” as other exploits. It accomplishes this by attaching itself to Chrome as a debugger process and then using hardware breakpoints to search for the decryption key, which is stored in memory as plaintext during the momentary window when it’s requested by the browser. With this key secured, attackers have carte blanche access to a victim’s data.

Unfortunately, VoidStealer is being peddled as Malware as a Service (MaaS), which provides would be data thieves with a powerful tool at an accessible price. Moreover, the developers only recently added this new bypass, and will likely continue to add new features as time goes on.