Malware Unfazed by Google Chrome's New Password, Cookie Encryption

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Google's addition of the AES-256 algorithm to encrypt cookies and passwords in the Chrome browser had a minor impact on infostealers.

Faced with the threat of having their business disrupted, developers of malware that steals data from web browsers quickly updated their tools to overcome the hurdle, many of their offers highlighting support for the new Chrome.

Even AZORult, abandoned by its original author in 2018, has received code updates from actors who continued the project to make it compatible with Chrome 80

New infostealing software trying to earn its stripes on cybercriminal forums also jumped at the opportunity, being advertised with out-of-the-box support for the new encryption layer added to Google Chrome.

Google rolled out Chrome 80 in early February and, until its release, cookies and passwords on Windows were encrypted using the DPAPI built into the operating system.

Raveed Laeb, product manager at cyber intelligence company KELA, told BleepingComputer that Chrome still relies on the old method but added a new layer on top of it.

The data is first encrypted with the AES standard, though, and the key is then encrypted using the CrypProtectData DPAPI function. Reverting the process and obtaining the AES-256 key is done with the CryptUnprotectData function.

Replying to BleepingComputer, Google explained the reason for making this change, which affected infostealers for a short while:
"With M80, we made changes that will allow us to isolate Chrome’s network stack into its own robustly sandboxed process. As part of those changes we changed the algorithm for encrypted passwords/cookies and changed the storage mechanisms, which also disrupted the tooling that data thieves currently rely on."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top