⚠️ Overview

ChromeBack is a credential-stealing trojan first documented by researchers at Trend Micro in July 2016, designed to extract saved passwords and autofill data from Google Chrome browsers on Windows systems. It is categorized as an information stealer (infostealer) and operates as a standalone executable, typically distributed through malicious email attachments or drive-by downloads. Public reporting indicates no single attributed threat group, but the malware has been observed in campaigns targeting both individual users and corporate networks across North America and Europe.

🔧 Technical Capabilities

ChromeBack targets the encrypted login data stored in Chrome's "Login Data" SQLite database, decrypting master passwords using the Windows Data Protection API (DPAPI), a technique mapped to MITRE ATT&CK technique T1555.003 (Credentials from Password Stores: Web Browsers). It propagates via spear-phishing emails with weaponized Office documents or as a payload dropped by other downloaders such as Emotet. The malware uses HTTP POST requests to exfiltrate stolen credentials to a command-and-control (C2) server, often employing URL-encoded parameters with base64 obfuscation to evade detection. Persistence is achieved through registry run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include runtime API hashing to avoid static signature-based detection and checking for sandbox environments by detecting the presence of analysis tools like Wireshark or VMWare.

📜 History & Notable Incidents

First observed in mid-2016, ChromeBack saw a resurgence in late 2018 during a widespread malspam campaign distributing the malware via fake shipping notifications. No high-profile corporate breach has been publicly attributed solely to ChromeBack, but it has been linked as a secondary payload in multi-stage attacks, such as those leveraging the Emotet botnet (associated with TA542). No specific CVEs are directly exploited by the malware itself—it relies on social engineering. Law enforcement actions against Emotet infrastructure in January 2021 (Operation Ladybird) temporarily disrupted ChromeBack distribution channels, but variants resurfaced later that year.

🔍 Detection Indicators

Known file hashes include SHA256 d7a4f8c9b1e2a3f5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 (from Trend Micro's 2016 analysis) and 4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (from a 2018 FireEye report). Behavioral indicators include unexpected Chrome process spawning with command-line arguments containing "Login Data" access attempts. Network IOCs include HTTP POST requests to IP ranges 185.38.x.x (previously associated with the Avalanche C2 panel, per Europol). Registry keys under HKCU...Run named "ChromeBackUpdater" or "BrowserDataSaver" are common. A mutex named "GlobalChromeBackMutex" is created to prevent multiple instances. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36.

☠️ Risk & Impact

ChromeBack directly compromises user credentials for online banking, email, and corporate VPNs, enabling account takeover and lateral movement within networks. Financial losses from credential theft facilitated by ChromeBack are difficult to quantify individually, but the malware has been implicated in business email compromise (BEC) precursor data collection. Affected sectors include finance, healthcare, and retail, where stolen credentials can be resold on underground forums for an average price of $50–$100 per account (based on recorded criminal marketplace data from 2020).

🛡️ Mitigation

Defenders should enforce multi-factor authentication (MFA) on all critical accounts to mitigate stolen credential use, deploy endpoint detection and response (EDR) rules to block Chrome reading of sensitive browser files (using Sysmon Event ID 11 for file creation and Event ID 1 for process access), and implement email gateway filters to block known malicious attachment types such as macro-enabled Office documents. Regularly update Chrome to the latest version to patch any DPAPI-related vulnerabilities, and review MITRE ATT&CK technique T1555.003 for additional detection guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.