Malware Development
  • Using Squirrel Framework to escalate privileges
  • 🕵️Bypassing HitmanPro.Alert Credential-Theft protection
  • ☢️Exploring a Security Flaw in Malwarebytes
Powered by GitBook
On this page

Bypassing HitmanPro.Alert Credential-Theft protection

What are Infostealers

Infostealers are malware design to steal/extract sensitive information from an infected computer.

This sensitive information can be (but not limited to):

  • Browser cookies

  • Saved passwords

  • Credit cards information

  • Crypto wallets

  • Discord Tokens

Understanding Infostealers

Infostealers are designed to extract sensitive information stored on browsers, such as passwords and credit card details.

In Chromium-based browsers, this data is saved on disk and encrypted for security. The encryption utilizes a master key, which is itself encrypted and stored in a file.

The master key's encryption is achieved using the CryptProtectData function.

Data Protection API (DPAPI)

CryptProtectData function is part of the Data Protection API (DPAPI).

Data encrypted with this function can only be decrypted by a user with the same credentials and typically needs to be done on the same machine.

Generally, only a user who has the same login credentials as the one who encrypted the data is able to decrypt it, in addition, both the encryption and decryption processes typically need to occur on the same computer.

Because of this, infostealers are forced to use this api during runtime.

To access the encrypted data, one can use the CryptUnprotectData function to decrypt the master key, which can then be used to decrypt cookies, passwords, and other stored data.

Infostealers flow

Locate and access the Local State

Local State is a JSON file containing various settings and metadata about the browser, including the master key (in os_crypt.encrypted_key).

Decrypt the master key.

Next step is to base64 decode the master key to bytes, skip the first 5 bytes from the beggining and then decrypt it using the CryptUnprotectData function.

Extract cookies and login information.

Saved credentials are stored in a file named Login Data. This file is an SQLite database containing the saved username / password.

For cookies, they are saved in a file named Cookies. This is also an SQLite database containing cookies names and values.

Decrypt the extracted data.

Normally, only sensitive information is encrypted. For example, when it comes to credentials, only the password value is encrypted, and for cookies, only the cookie value itself is encrypted.

If you check the BLOB of the encrypted values, newer versions of chromium have the prefix v10 or v11, in these 2 versions the encryption is done in 2 steps. Older versions use only the DPAPI to decrypt this column value.

For versions v10 and v11, the process is pretty straightforward, we grab the encrypted BLOB, remove the first 3 bytes (prefix) and then grab the next 12 to use as our nonce. The encrypted data itself is the rest of the bytes (skipping the first 15).

Next we decrypt the value using our decrypted master key and nonce using AES-GCM.

In case its not v10 or v11, we simply decrypt the BLOB using ProtectedData.Unprotect

Overview of HitmanPro.Alert's Protective Feature

HitmanPro.Alert has a feature to stop credential stealers from dumping cookies and logins from chromium based browsers.

To understand what was getting detected, I took the approach of running the malware line by line in the debugger.

When doing this, I saw it was getting detected when I ran this specific line of code here:

ProtectedData.Unprotect is a .NET wrapper for CryptUnprotectData.

One interesting thing is, HitmanPro.Alert knows from which browser the master key we are decrypting is from.

Taking this into account, although I do not know 100% how it works, I can assume it somehow stores the keys for all browsers, or most known browsers, and then if it detects one of these keys being decrypted, blocks it.

In addition, it keeps track of changes to the Local State file and updates it's own values if the master key changes on file.

Simple Bypass Technique

Having all this information now, we can now try and bypass this feature.

Initially, we only retrieved the master key from the Local State file and decrypted the credentials using ProtectedData.Unprotect.

To bypass this protection, the following steps were added:

  1. Read and Store the Original Master Key: First, we read the master key from the Local State file.

  2. Generate a Bogus Master Key: We generate a fake (bogus) master key and update the Local State file with this value. This step tricks HitmanPro.Alert into updating its own copy of the master key with the bogus value.

  3. Decrypt the Original Data: Once the bogus key is in place, we proceed to decrypt the original master key using the ProtectedData.Unprotect function.

  4. Restore the Original Master Key: After decrypting the credentials, we replace the bogus key with the original master key in the Local State file.

Code before:

Code after:

Conclusion

The method to bypass HitmanPro.Alert "Credential Theft Protection" feature does not rely on exploits or unknown vulnerabilities. Instead, it's a simple tweak.

This was reported to Sophos and accepted in March 2024.

PreviousUsing Squirrel Framework to escalate privilegesNextExploring a Security Flaw in Malwarebytes

Last updated 4 months ago

  • What are Infostealers
  • Understanding Infostealers
  • Data Protection API (DPAPI)
  • Infostealers flow
  • Locate and access the Local State
  • Decrypt the master key.
  • Extract cookies and login information.
  • Decrypt the extracted data.
  • Overview of HitmanPro.Alert's Protective Feature
  • Simple Bypass Technique
  • Conclusion
🕵️
Page cover image