Storm Infostealer Sold as Malware‑as‑a‑Service Bypasses Chrome Encryption, Steals Browser Data and Crypto Wallets
What Happened – Varonis Threat Labs uncovered a new infostealer, dubbed Storm, being offered as a subscription service. The malware can bypass Google Chrome’s built‑in encryption to harvest saved passwords, cookies, and cryptocurrency wallet files, then exfiltrate them to the attacker’s command‑and‑control server.
Why It Matters for TPRM –
- Third‑party software or services that integrate or are compromised by Storm can become a conduit for credential theft across your supply chain.
- The ability to steal crypto wallet keys expands financial loss potential beyond traditional credential exposure.
- As a “malware‑as‑a‑service” offering, Storm can be repurposed by multiple threat actors, increasing the likelihood of repeat attacks on the same vendor ecosystem.
Who Is Affected – Organizations that rely on Chrome‑based browsers, desktop applications storing credentials, or crypto‑related services across any industry, especially fintech, SaaS, and retail.
Recommended Actions –
- Review any third‑party tools that embed browser automation or credential storage for exposure to Storm.
- Deploy endpoint detection and response (EDR) rules that flag Chrome profile file tampering and known Storm IOCs.
- Enforce multi‑factor authentication (MFA) and least‑privilege access for accounts that could be compromised via stolen credentials.
- Ensure Chrome and all browsers are kept up‑to‑date; consider hardening local profile encryption settings.
Technical Notes – Storm operates as a downloadable payload from a subscription portal, uses a custom decryption routine to read Chrome’s Login Data SQLite DB, extracts crypto wallet files (e.g., MetaMask, Exodus), and sends the data over HTTPS to attacker‑controlled endpoints. No public CVE is associated; the technique exploits Chrome’s default encryption implementation. Source: HackRead