Attack Chain

1. The attacker gains initial access to the target system through an unspecified method (e.g., malware distribution, social engineering).
2. The attacker deploys VoidStealer, a custom tool or script designed to interface with Chrome’s debugging API.
3. VoidStealer identifies running Chrome processes and attaches itself as a debugger.
4. The tool leverages the debugging interface to inspect Chrome’s memory space.
5. VoidStealer searches for specific data structures and memory regions known to store credentials, session cookies, and other sensitive information.
6. The attacker extracts the targeted data from Chrome’s memory.
7. Stolen data is exfiltrated to a command-and-control server controlled by the attacker.
8. The attacker uses the stolen credentials and session cookies for account takeover, lateral movement, and potentially data exfiltration from other systems.

Impact

Successful VoidStealer attacks can lead to significant data breaches, account takeovers, and financial losses. Organizations in any sector are at risk, especially those that heavily rely on web-based applications and services. The compromise of user credentials allows attackers to gain unauthorized access to sensitive corporate resources, intellectual property, and customer data. If successful, this can also lead to follow-on attacks, such as ransomware deployment.

Recommendation

• Monitor process creation events for unexpected tools attaching to Chrome processes as debuggers to identify potential VoidStealer activity. Deploy the “Suspicious Chrome Debugging Attachment” Sigma rule to your SIEM.
• Implement strict process whitelisting policies to prevent unauthorized applications from running on endpoints.
• Enable and review Chrome’s built-in security features, such as password protection and safe browsing, to mitigate the risk of credential theft.
• Educate users about the risks of downloading and executing untrusted software.