Despite enthusiast media sources celebrating Google’s attempts to route hacking groups in last month’s updates to the Chrome browser, new posts on infostealer forums seem to show that malware peddlers are now keeping up with the tech giant’s latest encryption updates with minimal issue.
Early last month, Google released Chrome 80, which added the AES-256 encryption algorithm to the browser in an attempt to prevent hackers from stealing user credentials. Prior to this, the browser had simply used the data protection API built into Windows to protect sensitive user data. AES-256 was meant to combine that data protection API with the AES standard to make information more secure, but even with a minor hacker panic shortly after release, it seems that the added security isn’t panning out quite as the tech giant had hoped.
"With M80, we made changes that will allow us to isolate Chrome’s network stack into its own robustly sandboxed process," Google explained to tech publication BleepingComputer when Chrome 80 launched. "As part of those changes, we changed the algorithm for encrypted passwords/cookies and changed the storage mechanisms, which also disrupted the tooling that data thieves currently rely on."
This quickly lead to declarations that Google had "crippled” cybercrime hubs like the Genesis Store, a black market for stolen browser data that gathered “90% of all stolen credentials” through the Any.Run top ten threat AZORult malware, which had been abandoned by its original author in 2018 and wasn’t supposed to work with Chrome 80.
However, a month later, BleepingComputer is revealing in a recent exposé that not only are old infostealer standards like Raccoon and KPot infostealer now posting updates to make their tools compatible with Chrome 80, but the new encryption algorithm seems to have given new tools an opportunity to market themselves as “Chrome 80 compatible.”
Four days after Chrome 80’s rollout, for instance, KPot infostealer posted that they had "already figured out the algorithm," and in a subsequent post later that day, released an update to their malware to make it Chrome 80 compatible, with the only noticeable effect on hackers being a price increase to $90. Similarly, Raccoon pushed an update that added Chrome 80 support to all new builds.
Meanwhile, cyber intelligence company KELA has recently uncovered a new tool, Redline, on Russian cybercrime forums. "It’s important to note that Redline is very new," KELAproduct manager Raveed Laeb told BleepingComputer. "[It was] offered for sale only after the new Chrome update." However, despite not having much reputation, Redline promotes this as a positive on its forum post, citing its newcomer status as proof that it is up-to-date with “All browsers based on Chromium.”
Even AZORult, despite being left for dead by its author, is now getting community updates to make it thieving ready, threatening to bring the hacking giant back into the spotlight. With update 3.3.1 being the final official update for the Malware, many considered it dead upon Chrome 80’s rollout, but offshoot tools like AZORult++, which first hit the scene in May of last year, are now releasing new updates that promise Chrome 80 compatibility. While the sources behind these tools remain unvetted and thus might keep hackers away for fear of being hacked themselves, they still have the potential to appear in smaller campaigns.
All of which goes to show that despite promises from big developers, hackers will always find a way to pose a threat. Even with updates like Chrome 80, users are advised to maintain as diligent as ever in protecting their sensitive data.
i tried to look into this more but so far not really found any technical explanation of how it's working.
i emailed a guy i know to see what he has to say if he can. he works pretty high up in the dod cyber defense world. he'll point me in the right direction if he can.