Vojtěch Krejsa, the menace researcher at Gen who first flagged the stealer, calls VoidStealer’s bypass non-noisy. “The bypass requires neither privilege escalation nor code injection, making it a stealthier strategy in comparison with different ABE bypass strategies,” he mentioned in a weblog put up.
Chasing the grasp key
An ABE bypass revolves round a crucial piece of fabric, the “v20_master-key.” This secret’s what finally unlocks saved browser secrets and techniques, together with cookies, passwords, and tokens, as soon as the browser has verified the request. In concept, ABE retains this key tightly guarded, guaranteeing it’s by no means uncovered in a means that malware can simply entry it.
Nevertheless, in apply, that key nonetheless has to exist in plaintext at runtime, if solely briefly, for Chrome to do its job.
Earlier bypass strategies discovered methods to go after decryption, some counting on course of injection that concerned slipping malicious code into Chrome to invoke a official decryption routine. Others used reminiscence dumping or distant debugging, scanning giant chunks of course of reminiscence to find decrypted knowledge. Extra superior approaches abused Chrome’s elevation service or COM interfaces to trick the browser into handing over decrypted materials.
