VoidStealer Bypasses Chrome App-Bound Encryption: New Threat

Researchers at Cisco Talos have uncovered a new variant of the VoidStealer Trojan that successfully circumvents Google Chrome’s App‑Bound Encryption (ABE). The malware, tracked as VoidStealer v2.1, employs a sophisticated process‑injection routine that loads a malicious DLL into the Chrome renderer under the same user context, allowing it to access protected memory regions where the ABE session key resides.

Chrome’s ABE relies on the Windows DPAPI to bind encryption keys to the logged‑on user, securing saved passwords, cookies, and autofill data in a blob called AppBoundEncryptionData. The VoidStealer variant patches the CryptProtectData function inside the Chrome process, capturing the ephemeral key before it is cleared. By replaying this key, the malware decrypts the on‑disk credential store, exfiltrates the plaintext data, and can subsequently hijack authenticated sessions.

The attack provides attackers with a one‑stop shop for credential theft: saved passwords, session cookies, and autofill profiles are extracted in clear text. Security analysts warn that such data can fuel account takeover, financial fraud, and corporate espionage, especially when combined with multi‑factor authentication fatigue or phishing lures.

Google’s Chrome security team has acknowledged the bypass and is working on an updated ABE implementation that incorporates additional entropy from the operating system. In the meantime, organizations are advised to enforce strict process‑isolation policies, monitor for unexpected DLL loading into Chrome, and employ endpoint detection solutions capable of detecting DPAPI hooking and process‑injection patterns.