Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Google Chrome Cookie Security

STEALC/VIDAR

METASTEALER

PHEMEDRONE

XENOSTEALER

LUMMA

Cookies access by an unusual process

Chrome Browser Spawned from an Unusual Parent

Untrusted Binaries from Chrome Application folder

Unsigned DLLs loaded from google chrome application folder

Unsigned executable launched from google chrome application folder

Stealer Bypasses and MITRE ATT&CK

Tactics

Techniques

YARA

Observations

References

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Author

Jia Yu Chan

Articles

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses