New Glove Stealer Bypass App-Bound Encryption To Steal Data From Browsers


Stealers are designed to be stealthy primarily to avoid detection by AV tools and to remain hidden from the user.

Combination of multiple sophisticated tactics makes the stealers highly adaptable and continuously challenging for cybersecurity defenses. Not only that even threat actors also preferes stealers most due to their sophistications.

SIEM as a Service

A new information-stealing malware, dubbed Glove Stealer, has been discovered in recent phishing campaigns.

This sophisticated malware employs social engineering tactics like ClickFix and FakeCaptcha to trick users into infecting their own devices.

Example ClickFix HTML page being distributed in phishing email attachments (Source – Gen Digital)

Researchers at GenDigital discovered the campaign that typically begins with a phishing email containing an HTML attachment.

When opened, this attachment displays a fake error message, prompting users to copy and execute a malicious script. This script, often disguised as a solution to a non-existent problem, ultimately downloads and installs the Glove Stealer malware.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Glove Stealer

Glove Stealer, written in .NET, is designed to exfiltrate sensitive data from various sources:

  1. Web browsers (Chrome, Firefox, Edge, Brave, and others)
  2. 280 browser extensions
  3. Over 80 locally installed applications

The malware targets cryptocurrency wallets, 2FA authenticators, password managers, email clients, and other sensitive applications.

One of Glove Stealer’s most notable features is its ability to bypass App-Bound Encryption, a security measure introduced by Google in Chrome 127. The malware achieves this by using an IElevator service, a method recently disclosed by Alexander Hagenah in October 2024.

Besides this, for data exfiltration process it do the following things:-

  1. Terminates browser processes to access data
  2. Parses and stores stolen information in dedicated text files
  3. Collects device fingerprint data
  4. Compresses and encrypts the stolen data using 3DES encryption
  5. Sends the encrypted package to a command and control (C&C) server
Base64 encoded Glove Stealer present on a C&C server (Source – Gen Digital)

While the Glove Stealer employs a supporting module named “zagent.exe” to evade the App-Bound encryption, and this module:-

  1. Is downloaded and executed in Chrome’s Program Files directory
  2. Retrieves the App-Bound encryption key from Chrome’s local state file
  3. Stores the decoded key in a separate file for Glove Stealer to access

The use of this module requires local admin privileges which highlights the sophisticated approach of the malware.

Glove Stealer represents a significant threat to user privacy and security. Its ability to bypass App-Bound encryption and target a wide range of sensitive data sources makes it a formidable adversary.

Users should remain vigilant against phishing attempts and avoid executing unknown scripts or following suspicious instructions, even if they appear to offer solutions to perceived problems.

IoCs

IoCs (Source – Gen Digital)

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.



Source link