Glove Stealer Malware Evades Chrome’s App-Bound Encryption to Target Cookies

by | Nov 15, 2024 | News

Glove infostealer malware

Post Views: 15




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cybersecurity researchers have uncovered a new malware strain named Glove Stealer, capable of bypassing Google Chrome’s App-Bound encryption to exfiltrate browser cookies and sensitive data. Identified by Gen Digital, this malware appears to be in its early development stages, with minimal obfuscation or protection mechanisms.

Phishing Campaigns and Attack Chain

The malware was spotted during an investigation into phishing campaigns that leverage social engineering tactics similar to the ClickFix infection chain. In these campaigns, victims are tricked into installing malware via fake error messages embedded in HTML files attached to phishing emails.

ClickFix attachment sampleClickFix HTML attachment sample (Gen Digital)

Once installed, Glove Stealer is designed to:

  • Extract cookies from Chromium-based browsers (e.g., Chrome, Edge, Brave, Yandex, Opera) and Firefox.
  • Steal cryptocurrency wallets from browser extensions.
  • Exfiltrate 2FA session tokens from popular authenticator apps like Google, Microsoft, and LastPass.
  • Capture password data from tools like KeePass, LastPass, and Bitwarden.
  • Access emails from clients like Thunderbird.
  • Extract sensitive information from 280 browser extensions and 80 locally installed applications, including cryptocurrency wallets, email clients, and password managers.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Bypassing App-Bound Encryption

Introduced in Chrome 127 (July 2024), App-Bound encryption was meant to bolster cookie security by encrypting them with unique keys. Glove Stealer circumvents this protection using a technique described by researcher Alexander Hagenah, which leverages:

  1. Local Admin Privileges: The malware requires administrative access to operate, which it gains through privilege escalation tactics.
  2. COM-based IElevator Service: Using Chrome’s built-in Windows service, the malware retrieves and decrypts App-Bound encrypted keys.
  3. Module Injection: The malware places a malicious module in Chrome’s Program Files directory to interact with encrypted data.

Although Glove Stealer’s bypass technique is rudimentary and mirrors earlier approaches used by other infostealers, it demonstrates an evolution in attacks against Chrome’s enhanced security measures.

Trending: Essential Skills Every Hacker Should Master




Trending: Blue Team Tool: Ghostport

Broader Implications and Trends

Despite the additional security provided by App-Bound encryption, infostealer malware operations have adapted rapidly, and attacks targeting Google Chrome cookies have increased since July 2024. These campaigns exploit various attack vectors, including:

  • Vulnerable drivers
  • Zero-day vulnerabilities
  • Malvertising
  • Spearphishing
  • Fake fixes for GitHub issues
  • Fraudulent answers on StackOverflow

While Google’s measures have elevated the level of access required for such attacks, the necessity of admin privileges has not significantly deterred cybercriminals.

Trending: New Tool Bypasses Google’s App-Bound Cookie Encryption

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This