Full Report
An information stealer called VoidStealer uses a new approach to bypass Chrome's Application-Bound Encryption (ABE) and extract the master key for decrypting sensitive data stored in the browser. [...]
Analysis Summary
# Tool/Technique: VoidStealer
## Overview
VoidStealer is an information stealer operated as a Malware-as-a-Service (MaaS) platform. It is notable for being the first malware observed in the wild to utilize a debugger-based technique to bypass Google Chrome’s Application-Bound Encryption (ABE). By leveraging hardware breakpoints, it extracts the `v20_master_key` directly from browser memory, allowing the decryption of sensitive data such as cookies and credentials without requiring administrative privileges or code injection.
## Technical Details
- **Type**: Malware family (Information Stealer)
- **Platform**: Windows (targeting Chromium-based browsers like Chrome and Edge)
- **Capabilities**: Credential theft, cookie extraction, ABE bypass via hardware breakpoints, memory forensics.
- **First Seen**: Advertised in mid-December 2025; ABE bypass introduced in version 2.0 (March 2026).
## MITRE ATT&CK Mapping
- **[TA0006 - Access Credential]**
- [T1539 - Steal Web Session Cookie]
- [T1555.003 - Credentials from Web Browsers]
- **[TA0005 - Defense Evasion]**
- [T1548.002 - Bypass User Account Control] (implied avoidance of elevation)
- [T1056.004 - Credential API Hooking] (via hardware breakpoints)
- **[TA0007 - Discovery]**
- [T1010 - Application Window Discovery]
## Functionality
### Core Capabilities
- **Information Stealing**: Extracts stored credentials, autocomplete data, and session cookies from Chromium-based browsers.
- **Stealthy Execution**: Starts the browser in a suspended and hidden state to conduct extraction before the user or security software notices.
- **Memory Reading**: Utilizes `ReadProcessMemory` to grab the master key once the hardware breakpoint is triggered.
### Advanced Features
- **Debugger-based ABE Bypass**: Attaches to the browser process as a debugger. It targets `chrome.dll` or `msedge.dll` and sets hardware breakpoints on specific instructions.
- **Plaintext Key Extraction**: Intercepts the `v20_master_key` during the brief window when it is decrypted in memory during browser startup, bypassing the need for the Google Chrome Elevation Service (which normally requires SYSTEM privileges).
- **Technique Adoption**: Derived from the open-source tool set `ChromeKatz` (specifically the `ElevationKatz` component).
## Indicators of Compromise
- **File Hashes**: (Specific hashes not provided in the article; current versions are dynamic).
- **File Names**: Often masquerades as legitimate installers or browser updates.
- **Network Indicators**:
- [C2 server communications - defanged]: Likely hosted on Telegram or encrypted dark web domains (e.g., `example[.]onion`).
- **Behavioral Indicators**:
- Unidentified processes attaching to `chrome.exe` or `msedge.exe` as a debugger.
- Spawning of hidden/suspended browser processes.
- Frequent calls to `ReadProcessMemory` targeting browser address spaces.
## Associated Threat Actors
- **Cybercriminals**: Distributed via Malware-as-a-Service (MaaS) channels on dark web forums. No specific named APT group has been linked, but it is available to any subscriber of the service.
## Detection Methods
- **Signature-based detection**: Detection of strings related to `ElevationKatz` or specific unique code fragments within the VoidStealer binary.
- **Behavioral detection**:
- Monitoring for `DebugActiveProcess` calls targeting browser executables.
- Alerts for processes setting hardware breakpoints (via `SetThreadContext`) in browser memory space.
- Behavioral monitoring of browser "startup" sequences that deviate from standard user activity.
- **YARA rules**: Rules should focus on the specific LEA instructions and target strings used to locate the master key decryption routine within `chrome.dll`.
## Mitigation Strategies
- **Prevention measures**:
- Implement Application Control policies to prevent unknown binaries from executing.
- Use Endpoint Detection and Response (EDR) tools to block unauthorized debugging attempts.
- **Hardening recommendations**:
- Restrict the ability of non-admin users to use debugging APIs where possible.
- Ensure Chromium browsers are updated to the latest versions (though this specific bypass targets version 127+ features, Google may issue updates to scramble the memory location of keys).
## Related Tools/Techniques
- **ChromeKatz / ElevationKatz**: The open-source research tools from which this technique was derived.
- **Arkanix Stealer**: Another malware family noted for attempting ABE bypasses.
- **Application-Bound Encryption (ABE)**: The primary security feature being targeted by this tool.