Executive Summary

Researchers at Zscaler have identified a sophisticated new information-stealing malware, ChronoLeap, that employs a novel method to bypass time-based one-time password (TOTP) multi-factor authentication (MFA). The malware is distributed via malicious Google Ads pointing to trojanized installers for popular software. ChronoLeap uses a Browser-in-the-Browser (BitB) attack to present a fake login portal and capture credentials. Its key innovation is manipulating the victim's system clock to desynchronize it from the server, creating a larger window to use a stolen MFA token. This, combined with simultaneous session cookie theft, allows attackers to successfully hijack MFA-protected accounts. The malware is being sold on a Malware-as-a-Service (MaaS) basis, increasing its potential for widespread impact.

Threat Overview

• Malware: ChronoLeap
• Type: Information Stealer (Infostealer)
• Distribution: Malvertising (malicious Google Ads) leading to trojanized software installers (e.g., AnyDesk, Slack).
• Primary Feature: MFA bypass through system time manipulation and session hijacking.
• Targeted Services: Cloud services like Microsoft 365 and Google Workspace.
• Business Model: Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums.

Technical Analysis

The ChronoLeap attack is a multi-stage process designed to defeat modern authentication controls:

1. Initial Infection: A user clicks a malicious Google Ad and downloads what they believe is legitimate software. The installer contains the ChronoLeap loader.
2. Credential Theft (BitB): When the user attempts to log into a service like Microsoft 365, the malware intercepts this and launches a Browser-in-the-Browser (BitB) window. This fake browser window is a pixel-perfect replica of the legitimate login portal, which tricks the user into entering their username and password.
3. MFA Bypass - Time Manipulation: At the MFA prompt, the malware performs its key action. It programmatically sets the infected system's clock back by several minutes. When the user enters their valid TOTP token, the malware captures it. The time desynchronization extends the window in which the attacker can use the stolen token on their own machine before it expires.
4. Session Hijacking: Concurrently, ChronoLeap injects itself into the legitimate browser process to steal active session cookies for the targeted service.
5. Account Takeover: The attacker now possesses the username, password, a recently valid MFA token (with an extended use window), and active session cookies. This combination is often sufficient to establish an authenticated session on the attacker's machine, fully bypassing MFA.

MITRE ATT&CK TTPs

• T1566.002 - Phishing: Spearphishing Link: Although delivered via ads, the principle of luring a user to a malicious site is similar.
• T1189 - Drive-by Compromise: User is infected by downloading software from a malicious site.
• T1610 - Steal Application Access Token: The core of the session hijacking, stealing active session cookies.
• T1111 - Two-Factor Authentication Interception: The overall goal of the attack, achieved through a combination of techniques.
• T1564.006 - Hide Artifacts: Time-Based Evasion: A novel use of time manipulation not just for sandbox evasion, but for active attack purposes.

Impact Assessment

ChronoLeap represents a significant evolution in credential theft, as it is specifically designed to defeat a security control (MFA) that many organizations rely on as a primary defense. A successful attack can lead to a full account takeover of critical cloud services. This grants attackers access to sensitive emails, documents, and corporate data, and can be used as a launchpad for further attacks within the organization, such as internal phishing or BEC scams. The MaaS model means that even low-skilled attackers can leverage this sophisticated tool, broadening the threat landscape.

Detection & Response

• Log Monitoring: Monitor for impossible travel alerts, where a user account logs in from two distant geographic locations in a short time. Also, monitor for logins that are accompanied by system time changes on the endpoint.
• Endpoint Detection: EDR tools should be configured to alert on processes that modify the system clock (timedate.cpl, w32tm.exe).
• Browser Anomaly Detection: Monitor for unusual browser behavior, such as a process injecting into a browser to steal cookies.
• D3FEND: The core of this attack is hard to detect with a single technique. A combination of D3-UGLPA: User Geolocation Logon Pattern Analysis and D3-PA: Process Analysis is required to correlate the suspicious login with the endpoint behavior.

Mitigation

1. Phishing-Resistant MFA: The most effective mitigation is to move away from defeatable MFA methods like TOTP and SMS. Implement strong, phishing-resistant MFA, such as FIDO2/WebAuthn using hardware security keys (e.g., YubiKey).
2. User Education: Train users to be suspicious of software downloads from sources other than official websites and to recognize the signs of malvertising.
3. Ad Blockers: Deploy network-level or browser-based ad blockers to reduce the risk of users encountering malicious advertisements.
4. Application Allowlisting: Use application control to prevent the execution of unauthorized software downloaded from the internet.
5. Conditional Access Policies: Implement strict conditional access policies that, in addition to MFA, require logins to come from compliant, corporate-managed devices. This can defeat attacks from the attacker's own machine.