Cyble researchers have recently uncovered a sophisticated malware attack that effectively bypasses Google Chrome’s App-Bound Encryption, a security measure introduced last year to safeguard cookies from infostealer malware. This discovery is concerning as it opens up the potential for cyber attackers to access user accounts and other sensitive information.
The detailed analysis provided by Cyble researchers in a recent blog post sheds light on the intricacies of this attack. The malware utilizes a dual injection technique, concealing a malicious LNK file within a ZIP file disguised as a PDF and camouflaging a malicious XML project as a PNG file. This deceptive tactic aims to trick users into unknowingly opening these malicious files, thereby enabling the malware to execute fileless operations, establish scheduled task persistence, and communicate via Telegram to avoid detection while stealing valuable data.
By leveraging MSBuild.exe and employing a double injection technique, the malware operates directly in memory, making it challenging to detect. Furthermore, its capability to circumvent Chrome’s App-Bound Encryption and extract credentials underscores the severity and impact of this attack.
The file naming conventions used by the malware indicate a potential focus on organizations in Vietnam, particularly those in the Telemarketing or Sales sectors. However, the delivery method of this malware remains unclear, highlighting the need for heightened vigilance and security measures within organizations to mitigate such threats.
A comprehensive analysis of the infection chain reveals the sophisticated mechanisms employed by the malware. Through the creation of a scheduled task using an LNK file and Microsoft Build Engine to deploy malicious C# code, the malware operates stealthily within the system, executing various components based on the architecture. The use of Process Injection and Reflective DLL Injection allows the malware to execute malicious code in memory, evading traditional security solutions effectively.
The malware utilizes the Telegram Web API for command and control communication with the threat actor, enabling them to alter Telegram bot ID and chat ID as needed. This dynamic control over communication channels facilitates the exfiltration of sensitive user data from the Chrome browser, including cookies and login information, bypassing Chrome’s App-Bound Encryption to steal encryption keys, and deploying custom info stealers.
To safeguard against such sophisticated attacks, Cyble recommends implementing user training, stringent email attachment filtering, application whitelisting, and restricting file execution paths and extensions. These defensive measures can help organizations mitigate the risks posed by malware attacks like the one uncovered by Cyble researchers.
For a more in-depth analysis of the attack chain, communications, exfiltration techniques, Indicators of Compromise (IoCs), and MITRE ATT&CK Techniques, readers are encouraged to refer to the full Cyble blog post. Stay informed and stay vigilant to protect against evolving cyber threats.