VoidStealer, an infostealer seen in the wild, bypasses Chrome’s Application-Bound Encryption (ABE) by using hardware breakpoints to extract the v20_master_key directly from browser memory. The malware attaches as a debugger to suspended browser processes at startup, reads the register holding the plaintext master key, and uses ReadProcessMemory to steal it, a technique likely adopted from the open-source ElevationKatz project. #VoidStealer #v20_master_key
Keypoints
- VoidStealer uses hardware breakpoints to capture the v20_master_key from browser memory.
- The technique requires no privilege escalation or code injection, attaching as a debugger to suspended hidden browser processes.
- It targets browser startup when ABE-protected data is decrypted, scanning DLLs for specific strings and LEA instructions.
- Gen Digital identified this as the first in-the-wild infostealer using a debugger-based ABE bypass, likely derived from ElevationKatz.
- Google introduced ABE in Chrome 127 to protect master keys, but previous bypasses and demonstrated tools left exploitable weaknesses.