Do you think it's possible to avoid session and cookie stealing ?
I downloaded a cracked game on d*di-repack some days ago, and got pwned by a stealer.
I've more than 80 accounts with unique password stored in my Chrome Password. I also use Windows Hello to unlock the Chrome Password.
I've Windows Defender latest update, and all modern security features enabled (kaslr, iommu, stack guard, ...). Windows Defender raised an alarm after program run, but not before - so the stealer had executed already. Network permission were also asked.
Chrome is also sandboxed, and with the latest version and Application Bound Encryption, it shouldn't be easy even if you suspend the process to do "whatever" you want with it like code injection.
The thing is, even with unique password and 2FA (SMS or Google Authenticator validation on a second device), my Amazon + Discord + Instagram account where pwned and the hacker sent cryptoscam to all my contact and bought Norton Antivirus on Amazon.
To solve this, I did :
- A complete Windows 11 reset, without saving any documents from previous installation (outside of Windows.old directory that I deleted).
- I changed my 80 accounts unique password, all of them. I also kicked all devices that were previously connected to such account.
- I did setup 2FA everywhere (was missing on Discord and Instagram).
I know that a usermode program can still do a lot of stuff when it come to process memory injection and filesystem, so I should avoid running random program without containers/sandbox/vm with custom permission to ensure a program can never interact with something it isn't supposed.
My questions :
- Do we have per-desktop-app sandboxing on Windows 11 ? Kicking a fresh vm every single time you want to run a desktop app is heavy and fat, so I expect a lighter solution.
- What can I do better ? If a stealer run code on my machine, how can I ensure this can not steal session and cookies ? I know that some desktop app like Discord save the session into a file, which is trivial to copy for session stealing. Once you steal a session, you don't need any password or 2fa verification since you are already logged in.
- Some web application doesn't support 2FA, nor kicking logged device. Changing password may invalidate all active sessions, but who know. Can't we have a physical
- I disabled cookies on Chrome browser, but even with that setting I stay logged in when I close the browser. Can't we have something built-in like Tor security settings to ensure cookies are deleted on the browser close. Without such feature, this make the browser a prime target for cookies and session stealing.
For reverse engineering purpose, if you want to run the malware that stole my data, it's here : https://file138427.cloud05y.cfd/ downloadable in zip format (be carefull to not execute the setup, don't run it on your computer, use a virtual machine or a sandbox to do the analysis).
Edit : it seem the malware website is already down. But not really : they generate unique link every single time when you download a game such that you can't inspect the website. On d*di-repack when you download the game, it redirect to https://go.zovo.ink/venNqJlW then when you click the download button a single time you'll be redirected to an unique instance of the malware website. The malware website has always a "cloud" domain. Click 3 times and you are redirected to the correct game download page. This is the trick they do to spread their malware.
Note : I also downloaded a cracked IDA from Tor some month ago, and a taxi game on f*tgirl, but I would be extremely surprised if this come from here. Or my old android mobile phone (where I install only play store app).