VoidStealer: The New Malware That Silently Drains Your Chrome Vaults — Even With Google’s Latest Encryption + Video

Listen to this Post

Featured Image

Introduction:

Security researchers have uncovered a sophisticated malware strain, VoidStealer, that successfully bypasses Google Chrome’s App-Bound Encryption (ABE) — a feature introduced in July 2024 to lock down stored credentials, cookies, and payment data. Rather than breaking encryption mathematically, VoidStealer targets a fleeting vulnerability: the brief moment when Chrome’s master decryption key resides in plaintext within process memory, allowing attackers to exfiltrate sensitive data from compromised hosts without triggering traditional crypto-defenses.

Learning Objectives:

  • Understand how App‑Bound Encryption (ABE) works and why memory‑exposure attacks defeat it.
  • Learn to detect memory‑scraping techniques used by VoidStealer on Windows and Linux endpoints.
  • Apply memory forensics, Sysmon rules, and endpoint hardening to mitigate similar credential‑theft attacks.

You Should Know:

  1. How App‑Bound Encryption (ABE) Works — and Where It Fails

ABE was Google’s answer to malware that previously stole Chrome’s local state encryption key from disk. With ABE, the key is bound to a trusted Chrome service process; only that process can request decryption. However, once Chrome legitimately decrypts a cookie or password for active use, the plaintext data — and sometimes the key itself — lives briefly in the process heap or stack. VoidStealer injects a tiny shellcode that scans memory ranges for specific patterns (e.g., encrypted_value, cookie hashes) and copies data before it is zeroed out.

Step‑by‑step guide to monitor this on Windows (using Sysinternals):

 Download ProcDump from Sysinternals if not present
Invoke-WebRequest -Uri "https://live.sysinternals.com/procdump.exe" -OutFile "$env:TEMP\procdump.exe"

Dump Chrome process memory when suspicious access patterns occur
& "$env:TEMP\procdump.exe" -ma chrome.exe C:\dumps\chrome_memory.dmp

Use strings.exe to look for cookie or password artifacts in the dump
strings.exe -n 8 C:\dumps\chrome_memory.dmp | findstr /i "cookie pass_token encrypted"

What it does: Simulates what VoidStealer does — extracting memory artifacts. Security teams can use similar dumps for forensic analysis.

2. Detecting VoidStealer Activity with Sysmon and PowerShell

VoidStealer typically arrives via phishing or drive‑by download, then injects into `chrome.exe` using `VirtualAllocEx` + WriteProcessMemory. You can detect this with Sysmon event ID 8 (CreateRemoteThread) and event ID 10 (ProcessAccess).

Step‑by‑step Sysmon configuration:

<!-- Add to Sysmon config -->
<Sysmon>
<EventFiltering>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">chrome.exe</TargetImage>
<CallTrace condition="contains">ntdll.dll!NtReadVirtualMemory</CallTrace>
</ProcessAccess>
</EventFiltering>
</Sysmon>

Windows command to install/update Sysmon:

sysmon64.exe -accepteula -i sysmon_config.xml

Then review logs via PowerShell:

Get-WinEvent -FilterHashtable @{Logname="Microsoft-Windows-Sysmon/Operational"; ID=10} | Where-Object {$_.Message -like "chrome.exe"} | Format-List

3. Linux Memory Forensics for Chrome Credential Theft

Even though VoidStealer is Windows‑focused, similar techniques (e.g., using `ptrace` or /proc/pid/mem) affect Chromium on Linux. Use `gdb` and `volatility3` to inspect running Chrome processes.

Step‑by‑step extraction of memory from a Chromium process (educational only):

 Find Chromium PID
pgrep -a chromium

Dump process memory (requires root or ptrace privileges)
gdb -p <PID> -batch -ex "dump memory /tmp/chromium_dump.dump 0x0 0x7fffffffffff"

Extract strings and filter for login tokens
strings /tmp/chromium_dump.dump | grep -E "oauth|session|password|encrypted_value"

Mitigation: On Linux, restrict `ptrace` with `kernel.yama.ptrace_scope = 2` in `/etc/sysctl.conf` to prevent cross‑process memory read.

  1. Simulating VoidStealer’s Memory Access for Blue Team Drills

Defenders can safely emulate VoidStealer’s behavior using open‑source tools like Mimikatz’s `chromium` module or SharpChrome. This helps test detection rules without deploying live malware.

Step‑by‑step simulation on an isolated lab VM (Windows):

 Download SharpChrome (part of GhostPack)
git clone https://github.com/GhostPack/SharpChrome
cd SharpChrome

Compile and run against Chrome process
.\SharpChrome.exe cookies --local

What to monitor:

  • EDR alerts for `ReadProcessMemory` calls to chrome.exe.
  • Logs showing `NTVDM` or `dbghelp` modules loading unexpectedly.

5. Hardening Chrome Against Memory Scraping

While ABE cannot be patched against memory exposure, enterprise administrators can enable application isolation and restrict debug privileges.

Group Policy settings (Windows):

  • Turn off Chrome’s automatic crash reporting (prevents memory dumps to disk).
  • Enable `RenderCodeIntegrityEnabled` (forces CFG for renderer processes).
  • Deploy Windows Defender Credential Guard – this blocks memory reading from non‑privileged processes into LSASS and can be extended to browsers via attack surface reduction (ASR) rules.

ASR rule to block process memory scraping (Windows Defender):

Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled

This rule blocks any process from reading memory from another process that isn’t a child or allowed parent.

6. Response Playbook: After Detecting VoidStealer

If a host shows signs of Chrome memory extraction, follow this IR process:

Step‑by‑step containment:

  1. Isolate the host from network: `netsh advfirewall set allprofiles state on` (block inbound/outbound).
  2. Dump Chrome process memory before killing it (use ProcDump as in section 1).
  3. Reset all credentials stored in Chrome — assume cookies and passwords are compromised.
  4. Revoke active session tokens via Azure AD / IdP (e.g., `Revoke-AzureADUserAllRefreshToken` in PowerShell).
  5. Collect full memory image for deeper analysis using Magnet RAM Capture or FTK Imager.

Windows command to collect full RAM:

C:\Program Files\OSForensics\OSFMount\osfmount.com -i -t ram -o dump.raw

What Undercode Say:

  • Key Takeaway 1: Chrome’s App‑Bound Encryption is not a silver bullet; it shifts the attack target from disk to memory, where race‑condition scrapers like VoidStealer thrive. Defenders must invest in memory integrity monitoring (e.g., ETW TI, Microsoft’s Event Tracing for Threat Intelligence) to catch illicit `ReadProcessMemory` calls.
  • Key Takeaway 2: The malware’s adaptability underscores a broader truth — endpoint detection must move beyond signature‑based or static encryption protections. Proactive hardening, such as enabling Arbitrary Code Guard (ACG) and Control Flow Guard (CFG) for browsers, can drastically raise the cost of these injection attacks.

Analysis: Olga Bulat’s comment (3d) is spot‑on: “Defense has to start well before the browser.” VoidStealer doesn’t exploit a crypto flaw; it exploits the fundamental need for plaintext data during normal operation. This aligns with the classic “evil maid” attack pattern — once you control the host process, no client‑side encryption can fully protect live secrets. The real solution lies in isolating sensitive processes using virtualization‑based security (VBS) and hardware enclaves (e.g., Intel SGX). Until browsers move decryption into a TEE, memory scraping will remain a viable technique.

Prediction:

VoidStealer signals a shift toward “post‑encryption” malware families that no longer bother breaking crypto — they simply wait for legitimate processes to unwrap secrets. Within 12–18 months, expect Chrome and other major browsers to deploy dynamic memory scrambling (e.g., randomizing the location of decrypted secrets every few milliseconds) and to adopt process‑forking with differential privacy to hide real data. Simultaneously, attackers will weaponize GPU‑assisted memory scanning to extract secrets faster than current EDR hooks can react. For SOC teams, the future is not about preventing encryption bypass — it’s about real‑time runtime behavior analysis and credentialed access revocation measured in seconds, not hours.

Source reference: Cyber Security Times post (https://lnkd.in/gpNKFw2c) – “New VoidStealer Bypasses Chrome Data Protection to Steal User Data.”

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Cybersecuritytimes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky