GEN Digital researchers have identified a new technique used by Vidar infostealer malware to bypass Application-Bound Encryption (ABE) in web browsers. Vidar extracts the master key from memory to decrypt sensitive data, targeting user credentials effectively. The malware employs process forking to obtain browser data without interacting directly with live memory, leading to a controlled environment that captures a static memory snapshot.
It utilizes Asynchronous Procedure Calls for decryption, allowing it to steal user data and send it back to the attackers. Key recommendations for defense include monitoring for suspicious browser processes and unusual APC injections.