Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
The New Glove Stealer malware has the ability to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies.
The threat actors’ attacks employed social engineering techniques akin to those employed in the ClickFix infection chain, in which phony error windows included in HTML files attached to phishing emails deceive potential victims into installing malware.
According to cybersecurity researchers, the malware is relatively simple, and it contains minimal obfuscation or protection mechanisms, likely indicating that the info-stealer is in its early development stages.
Details About the Malware
This malware is capable of extracting and exfiltrating cookies from Firefox and Chromium-based browsers such as Chrome, Edge, or Opera.
Additionally, researchers say it is also capable of stealing cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, as well as password data, and emails from mail clients like Thunderbird.
Glove Stealer circumvents Google’s App-Bound encryption cookie-theft defenses, which were implemented by Chrome 127 in July, in order to steal credentials from Chromium web browsers.
The bypass technique, which was made public about two weeks ago, harvests and decrypts the required keys using the browser-specific internal COM-based IElevator service.
How Glove Stealer Operates
It is important to note that to operate, the malware first needs to gain local admin privileges.
The malware is distributed via phishing emails containing an HTML attachment that, when clicked, displays fake error messages stating that the content could not be rendered correctly and offering guidance on how the user can allegedly solve the issue.
In reality, the unwary victim is told to copy a malicious script and run it in a Run prompt or terminal. Following the execution of multiple scripts and a PowerShell command, the script ultimately causes the infostealer infection.
After running, Glove Stealer repeats the original story while ostensibly looking for mistakes in the system. But in the background, it makes contact with a command-and-control (C&C) server and starts its exfiltration and data gathering process.
The malware retrieves an extra module from the C&C, which begins looking for the App-Bound encryption key, in order to get beyond the security and exfiltrate cookies from Chromium-based browsers.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
