Even the infostealer AZORult has received patches that make it compatible with the Chrome 80 version.
Before Chrome 80
Raveed Laeb, company executive KELA, said that Chrome still relies on this method but has introduced an additional level of encryption.
The data is initially encrypted with the AES standard and the key is encrypted using it CrypProtectData DPAPI. The process is reset and the AES-256 key is downloaded using the CryptUnprotectData function.
Google explained why it made this change, which limited infostealers for a while:
“We've made some changes that will allow us to isolate Chrome's network stack in its own sandboxed process. As part of these changes we have changed our password / cookies encryption algorithm and storage mechanisms ”.
The new method is not very effective
The addition of AES encryption to the Chrome browser initially caused some malware bugs, but it didn't last long.
Shortly after the launch of the new Chrome, they were announced publicly updates to at least four infostealers, adapted to the new mechanism, and able to steal "protected" information.
Four days after the release of the new Chrome, its creator KPot infostealer said it had already created an update to malware that could bypass encryption. The upgraded tool was immediately sold for $ 90.
Its creators Raccoon, an infostealer that can grab data from nearly 60 applications (including all popular browsers), announced that they were also able to bypass the new Chrome 80 security level.
However, some developers of new infostealers also came forward, claiming that they can also bypass Chrome 80 encryption. For example, an ad was found in a Russian hacking forum for Redline, a new infostealer.
AZORult is still 'alive'
The AZORult it was one of the top 10 malware in 2019. Its original creator abandoned it in December 2018. However, other hackers continued to use it.
AZORult ++ was first reported in May 2019 and recently released version 3.4.
There are many variants of this infostealer and one of them now seems to be Chrome 80 compatible.
This release was announced in early March. The new version comes essentially from an unknown source and is therefore not widely adopted, but used in small campaigns.
Chrome 80 tried to block infostealers but most were able to bypass encryption so they could work effectively.