Chrome 80 Drastically Cut Access For Top Malware & Bad Actors

AH Google IO 1430 Chrome Logo 1.5 new AH 2019

Google released its Chrome 80 update in early February with mostly minor changes but under-the-hood changes but also severed ties for a fairly significant piece of malware, according to a recent report released by ZDNet. The report stems from research conducted by threat intelligence firm KELA.

In Chrome 80, Google altered its algorithm for hashing passwords stored in Chrome’s SQLite database. Specifically, the company switched over to the AES-256 algorithm.

That fundamentally altered the format of saved passwords in Chrome. And it cut off one particularly virulent piece of malware called AZORult in the process. Typically, that wouldn’t present a problem since the source code behind the malware can generally be altered to step over the change.


In the case of AZORult, which has been popular among bad actors and other criminal elements, that can’t be done. The author behind AZORult ceased activity in 2018. When development on the malware strain stopped, the source code eventually became unavailable too. That leaves one less malware for users to worry about since the Chrome changes cannot be circumvented by AZORult.

There was a deeper impact from Chrome 80 on malware & bad actors

Perhaps more importantly than the small change outlined above, Google’s Chrome 80 alteration didn’t just impact malware. It also dramatically altered one of the top cybercrime marketplaces online. Namely, that’s dark web Genesis Marketplace.

Summarily, Genesis is an online market where bad actors can buy ‘digital fingerprints’. The fingerprints allow easy access to replicate a user’s online identity.


Parsing that out, those fingerprints are applied with an extension and effectively let a malicious entity mimic a user’s online presence. That contains credentials, personal data, OS information, and various other virtual images. Not even two-factor authentication will always prevent log-ins that use a fingerprint from Genesis.

Genesis Marketplace has largely relied on malware such as AZORult — which works as outlined above. Since Chrome 80 essentially eliminated that threat, Genesis has seen an overall decrease of roughly 35-percent. That’s in terms of the credentials it has been able to post for sale. Put more potently, last year the company was averaging 18,000 new credential sets being added to the site on a daily basis. Now it’s seeing right around 600 new entries daily.

In total, the Genesis Marketplace listings have dropped from 335,000 stolen credentials to roughly 200,000-230,000. The current expectation is that Genesis could ultimately be forced to close down if its admins don’t figure out an alternative solution. That’s from the launch of Chrome 80, earlier this month.


The threat isn’t necessarily gone though

Now, the existential threat potentially faced by Genesis Marketplace does mean that the overall threat it presents is eliminated. Genesis seems to have halted the addition of new fingerprints stolen via AZORult entirely at this point. The expectation is that those who have maintained AZORult since its original author ceased activity on it in 2018 will eventually build out some kind of replacement.

In the interim, other malware that has yet to be identified has been contributed to slowing the problem for Genesis. So it may not be out of the running just yet. Other malware has gone mostly unaffected since the underlying code for those was not impacted.

Conversely, other malware-driven marketplaces still exist on the dark web and those do not appear to have suffered the same issues as Genesis. That’s a problem that isn’t going away just yet, even if Google did manage to severely undercut Genesis Marketplace with its Chrome update.  So the search giant recommends that users continue utilizing multi-factor authentication wherever possible.