VoidStealer Malware Targets Chrome Data Despite Built-In Browser Protections

Severity
Medium

Detail

Security researchers have identified a new information-stealing malware called VoidStealer, which is capable of bypassing Google Chrome’s App-Bound Encryption (ABE) protection to extract sensitive browser data such as session cookies and saved credentials.

According to findings shared by security researchers at Kaspersky, VoidStealer targets Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi. The malware is particularly dangerous because it can operate even on fully updated systems where Chrome’s latest security protections are enabled.

Chrome introduced App-Bound Encryption (ABE) in version 127 as an upgrade over the older Data Protection API (DPAPI). ABE was designed to bind encryption keys to the Chrome application itself, ensuring that only the browser or a privileged system service could request access to sensitive decrypted data. This was intended to prevent malware running under normal user privileges from stealing session cookies and authentication tokens.

However, VoidStealer bypasses this protection by targeting a critical moment in the browser’s runtime behavior, when Chrome temporarily decrypts data in memory for legitimate use. Instead of requesting encrypted data through system APIs, the malware attaches itself to the Chrome process and observes internal execution.

The attack works by using debugging techniques: VoidStealer injects itself into the Chrome process, identifies the code path where decryption occurs, and sets a breakpoint at the exact moment the master encryption key is loaded into memory in plaintext. Once Chrome reaches this point, the malware pauses execution and extracts the key directly from RAM.

Because the attack occurs in memory after decryption, Chrome’s ABE protections are effectively bypassed. This allows attackers to steal session cookies and authentication data without triggering traditional security controls. These stolen cookies can then be reused to hijack active sessions, giving attackers access to user accounts without needing passwords or multi-factor authentication.

VoidStealer is also part of a malware-as-a-service (MaaS) ecosystem, meaning it can be rented and deployed by multiple cybercriminal groups, increasing its scale and impact. Researchers noted that similar bypass techniques have previously been attempted by other infostealers such as Lumma, Meduza, and Whitesnake, showing a broader trend of attackers focusing on runtime memory extraction rather than breaking encryption directly.

How?

VoidStealer operates by exploiting the runtime decryption process in Chromium-based browsers rather than breaking encryption itself. After initial infection, the malware attaches to the Chrome process using debugging-like behavior and monitors its internal execution flow.

When a user logs into a website, Chrome decrypts session cookies and other sensitive data in memory so the browser can use them. At this precise moment, VoidStealer triggers a breakpoint that halts execution and captures the decrypted master key directly from RAM. This key is then used to extract session cookies and other stored credentials.

Since this method does not rely on accessing encrypted storage or using official APIs, it bypasses App-Bound Encryption safeguards entirely. The stolen session tokens are then transmitted to the attacker, who can reuse them to impersonate the victim and access online accounts without needing login credentials.

Conclusion

VoidStealer highlights a major limitation in browser-based encryption systems: even strong protections like App-Bound Encryption cannot fully defend against attacks that target data while it is temporarily decrypted in memory.

The malware demonstrates a shift in attacker strategy from breaking encryption to exploiting runtime behavior, making credential theft harder to prevent using traditional security controls alone. Its availability through a malware-as-a-service model further increases the risk, enabling widespread abuse by cybercriminals.

To reduce exposure, users and organizations are advised to avoid downloading untrusted software, keep systems and browsers updated, use dedicated password managers instead of browser storage, and deploy endpoint detection tools capable of identifying process injection and suspicious debugging activity.

Source

https://gbhackers.com/voidstealer-malware-targets-chrome-data/