Full Report
Cyble researchers have discovered a sophisticated malware attack that uses dual injection techniques to bypass Google Chrome’s App-Bound Encryption. Chrome App-Bound Encryption was introduced last year to protect cookies from infostealer malware, so attacks that bypass that protection could potentially access user accounts and other sensitive information. In a blog post this week, Cyble researchers detailed the sophisticated attack, which hides a malicious LNK file in a ZIP file – disguised as a PDF – and also makes a malicious XML project look like a PNG to trick users into opening it. “This attack leverages fileless execution, scheduled task persistence, and Telegram-based communication to evade detection while stealing sensitive data,” the researchers wrote. “By exploiting MSBuild.exe and using a double injection technique, the malware executes directly in memory, making it harder to detect. Its ability to bypass Chrome’s Application-Bound Encryption and extract credentials further strengthens its impact.” Sophisticated Chrome App-Bound Encryption Bypass Detailed The Cyble researchers said the file names suggest that the malware is “likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors.” It’s not clear how the malware was initially delivered. The researchers provided an in-depth analysis of the infection chain, which includes an LNK file that creates a scheduled task that runs every 15 minutes, using Microsoft Build Engine to deploy malicious C# code. The shortcut file copies an XML project file to the Temp directory and initiates a command to create the scheduled task, which launches MSBuild.exe to execute embedded C# code from the XML file. “The malicious code operates within the MSBuild.exe process, deploying different components based on the system’s architecture,” the researchers wrote. The double injection technique used by the malware — Process Injection and Reflective DLL Injection — allows it "to stealthily execute malicious code in memory without leaving traces on the disk, making it harder for traditional security solutions to detect." Telegram Web API Used for Command and Control The malware uses the Telegram Web API to establish command and control communications with the threat actor (TA), and the malware “enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels.” “The use of Telegram Web API for exfiltration and dynamic bot ID switching ensures continued control over infected systems,” the researchers said. The threat actor can use that connection to issue a range of commands, such as bypassing Chrome App-Bound Encryption to steal an encryption key, deploying a custom info stealer, and exfiltrating sensitive user data from the Chrome browser, including cookies and login data. To prevent falling victim to such attacks, Cyble recommended that organizations engage in user training, implement strict email attachment filtering and application whitelisting, and limit file execution paths and extensions, among other defensive steps. The full Cyble blog includes in-depth analysis of the infection chain, communications and exfiltration, Indicators of Compromise (IoCs), and MITRE ATT&CK Techniques.
Analysis Summary
# Tool/Technique: Dual Injection Malware Bypassing Chrome App-Bound Encryption
## Overview
This refers to a specific malware strain that utilizes a dual injection technique (Process Injection and Reflective DLL Injection) to stealthily execute malicious code within the `MSBuild.exe` process. The primary goal of this malware is to bypass Google Chrome's App-Bound Encryption mechanism to steal sensitive user data, including encryption keys, cookies, and login information.
## Technical Details
- Type: Malware
- Platform: Windows (implied by use of `MSBuild.exe`)
- Capabilities: Bypassing Chrome encryption, information stealing, C2 communication via Telegram API.
- First Seen: Information not specified in the text.
## MITRE ATT&CK Mapping
The techniques described primarily fall under Execution and Defense Evasion.
- **TA0002 - Execution**
- T1055 - Process Injection
- **TA0005 - Defense Evasion**
- T1055.001 - Process Injection: Dynamic-link Library Injection (Reflective DLL Injection is a form of DLL Injection)
*Note: The combination of techniques suggests specific evasion capabilities.*
## Functionality
### Core Capabilities
- **Bypass Chrome App-Bound Encryption:** Steal the Chrome encryption key used to protect sensitive user data.
- **Information Stealing:** Deploy a custom infostealer to gather sensitive data from the Chrome browser, including cookies and login credentials.
- **Data Exfiltration:** Exfiltrate stolen sensitive user data.
### Advanced Features
- **Dual Injection Technique:** Utilizes both **Process Injection** and **Reflective DLL Injection** executed within the context of `MSBuild.exe` to achieve stealthy, in-memory execution.
- **Dynamic C2 via Telegram:** Employs the **Telegram Web API** for command and control communications.
- **Dynamic C2 Switching:** The threat actor can dynamically change the Telegram bot ID and chat ID to maintain flexible and persistent control over infected systems.
## Indicators of Compromise
- File Hashes: [Not available in the provided text]
- File Names: [Not specified, but execution occurs via `MSBuild.exe`]
- Registry Keys: [Not available in the provided text]
- Network Indicators: Command and Control occurs over the Telegram Web API. No specific external C2 domains/IPs are provided (defanging not strictly necessary as the C2 is a legitimate service being abused).
- Behavioral Indicators: Execution shellcode/malicious DLL within the memory space of `MSBuild.exe`.
## Associated Threat Actors
- [Threat Actor (TA) mentioned generally; specific group name not provided in the excerpt.]
## Detection Methods
- **Signature-based detection:** Not specified, but traditional methods are noted as being less effective due to in-memory execution.
- **Behavioral detection:** Detection should focus on anomalous memory injection within legitimate processes like `MSBuild.exe`.
- **YARA rules:** [Not available in the provided text]
## Mitigation Strategies
- User training.
- Implement strict email attachment filtering.
- Implement application whitelisting.
- Limit file execution paths and extensions.
## Related Tools/Techniques
- Process Injection (T1055)
- Reflective DLL Injection (a form of T1055.001)
- Living Off The Land Binaries (LOLBins), specifically the use of `MSBuild.exe` for execution.