Malware Unfazed by Google Chrome’s New Password, Cookie Encryption
Google's addition of the AES-256 algorithm to encrypt cookies and passwords in the Chrome browser had a minor impact on infostealers.
Faced with the threat of having their business disrupted, developers of malware that steals data from web browsers quickly updated their tools to overcome the hurdle, many of their offers highlighting support for the new Chrome.
Even AZORult, abandoned by its original author in 2018, has received code updates from actors who continued the project to make it compatible with Chrome 80
New infostealing software trying to earn its stripes on cybercriminal forums also jumped at the opportunity, being advertised with out-of-the-box support for the new encryption layer added to Google Chrome.
Before Chrome 80
Google rolled out Chrome 80 in early February and, until its release, cookies and passwords on Windows were encrypted using the DPAPI built into the operating system.
Raveed Laeb, product manager at cyber intelligence company KELA, told BleepingComputer that Chrome still relies on the old method but added a new layer on top of it.
The data is first encrypted with the AES standard, though, and the key is then encrypted using the CrypProtectData DPAPI function. Reverting the process and obtaining the AES-256 key is done with the CryptUnprotectData function.
Replying to BleepingComputer, Google explained the reason for making this change, which affected infostealers for a short while:
"With M80, we made changes that will allow us to isolate Chrome’s network stack into its own robustly sandboxed process. As part of those changes we changed the algorithm for encrypted passwords/cookies and changed the storage mechanisms, which also disrupted the tooling that data thieves currently rely on."
Minor setback for malware
While Chrome adding AES encryption for cookies and passwords created ripples in the malware world, the disturbance was short-lasting for most malicious tools.
Soon after the new Chrome emerged, updates were publicly announced for at least four infostealers that had adapted to the new mechanism and had no trouble collecting the protected information.
The author of KPot infostealer posted four days after the new Chrome emerged that they had figured out the algorithm and would implement the fix in the tool.
In a subsequent post on the same day, they announced that an updated version was available for $90.
The authors of Raccoon, an infostealer that can grab data from nearly 60 apps - including all popular web browsers - announced that they, too, managed to bypass the new security layer in Chrome 80.
An update to their tool clearly specifies support for the latest version of the browser from Google and that the new features would become available with the new Raccoon build.
The release of the update would not affect the old builds, though, which would continue to work as originally designed.
Developers introducing new tools in the game seized the chance to grab some attention by promoting support for Chrome 80. Sleuthing from KELA uncovered an ad on a Russian cybercrime forum for Redline, a newcomer on the scene of infostealers.
"It's important to note that Redline is very new - offered for sale only after the new Chrome update, and hence doesn't have a lot of reputation," Laeb told BleepingComputer.
It is likely that the authors were using the Chrome update as a selling point since it was introduced with support for the new browser version.
AZORult is not dead, just in limbo
One of the top 10 active malware strains in 2019, AZORult also followed suit.
Left unattended by its original author in December 2018, the AZORult project was picked up by various authors and continues to be active to this day.
Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.
Genesis administrators are believed to run a malware-as-a-service business, distributing the original version of AZORult and selling the collected data through their market.
"It's a business model that we see expanding constantly for the past two years or so, as it allows them to be very scalable and peddle hundreds of thousands of infections." - Raveed Laeb, product manager at KELA
Many believed AZORult's final day had come and rushed to write its obituary, explaining in it the change Google added to Chrome.
Version 3.3.1 should have been the last we saw of AZORult. But some threat actors had a different plan and kept the malware alive through multiple offshoots.
These did not come from vetted developers, though, and gained little traction. Cybercriminals were wary of using them for fear of being tampered with.
AZORult++ was first reported in May, 2019, and the announcement of the malware's version 3.4 was spotted recently
Several variants of this infostealer exist and one of them boasts compatibility with Chrome 80, updated not long ago.
This version was announced at the beginning of March. Being from an unvetted source, this version is not largely adopted, despite AZORult's notoriety, but could be used in smaller campaigns.
Chrome 80 did stir the waters of infostealers but most of them discovered how to work with the added encryption layer fairly quickly. Activity from this type of malware is unlikely to subside any time soon.
In fact, a new campaign delivering Raccoon via a new variant of the sextortion scam was reported today by security researchers from IBM X-Force Threat Intelligence.
Gloss