VoidStealer: Debugging Chrome to Steal Its Secrets

Description

VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.