Threat Research

Katz and Mouse: MaaS Infostealers Evolve in Response to Chrome Security Updates — Elastic Security Labs

Securonix

Elastic Security Labs reports how Google Chrome’s App-Bound Encryption for cookies on Windows prompted infostealer families to evolve, employing techniques like remote debugging, memory reading, and COM-based key decryption to exfiltrate cookie data. The analysis covers STEALC/VIDAR, METASTEALER, PHEMEDRONE, XENOSTEALER, and LUMMA, and provides MITRE mappings, IOCs, and defender guidance. #STEALC #VIDAR #METASTEALER #PHEMEDRONE #XENOSTEALER #LUMMA

Keypoints

  • Google’s Application-Bound Encryption strengthens cookie protection in Chrome on Windows.
  • Infostealers have developed bypasses to steal cookies despite the new protection.
  • Elastic Security Labs tracked multiple evolving families: STEALC/VIDAR, METASTEALER, PHEMEDRONE, XENOSTEALER, and LUMMA.
  • Techniques include ChromeKatz integration, COM interactions, and remote debugging to access cookie data.
  • Defenders should monitor for cookie bypass techniques and investigate unusual Chrome-related activity.
  • The report offers mitigations, memory signatures, and hunting opportunities to speed detection and response.

MITRE Techniques

  • [T1003] Credential Dumping – Infostealers access and extract cookies and authentication tokens from Chrome’s memory. Quote: ‘Procedure: Infostealers access and extract cookies and authentication tokens from Chrome’s memory.’
  • [T1055] Process Injection – Malware injects code into Chrome processes to access sensitive data. Quote: ‘Procedure: Malware injects code into Chrome processes to access sensitive data.’
  • [T1021] Remote Services – Use of Chrome’s remote debugging feature to extract cookies. Quote: ‘Procedure: Use of Chrome’s remote debugging feature to extract cookies.’
  • [T1210] Exploitation of Remote Services – Exploiting Chrome’s debugging interface to retrieve cookie data. Quote: ‘Procedure: Exploiting Chrome’s debugging interface to retrieve cookie data.’
  • [T1022] Data Encrypted – Infostealers work around encrypted cookie data using various techniques. Quote: ‘Procedure: Infostealers work around encrypted cookie data using various techniques.’

Indicators of Compromise

  • [SHA-256] Cookies data observed in Chrome-related infostealer activity – 27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d, 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37, and 3 more hashes
  • [File name] Chrome-related binaries – num.exe, HardCoreCrack.exe, and 3 more (Ranginess.exe, XenoStealer.exe, and another)

Read more: https://www.elastic.co/security-labs/katz-and-mouse-game

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint