HQ/EMEAFind out how we can help your business
The newly discovered Glove Stealer malware can allegedly bypass Google Chrome’s App-Bound encryption feature to steal browser cookies.
This malware initially emerged from a recent phishing operation that targeted various individuals. Reports revealed that the payload is relatively simple information stealer malware that lacks obfuscation or defence mechanisms. These details regarding the payload indicate that it is still in
The Glove Stealer operators use social engineering tactics to deceive and infect prospected targets.
According to investigations, the Glove Stealer threat actors adopt social engineering techniques during the ClickFix infection spree. The campaign has deceived various users into installing malware by displaying phoney error windows within HTML files attached to phishing emails.
The researchers noted that the malware can extract and steal cookies from Firefox and Chromium-based browsers. It can also allegedly steal crypto wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authentication apps, password data from Bitwarden, LastPass, and KeePass, and emails from mail programs.
However, the malware’s more threatening aspect is that it also attempts to extract sensitive information from over 80 locally installed applications and 280 browser extensions. These extensions and programs often include Bitcoin wallets, 2FA authentication, password managers, and email clients.
Further research also noticed that the Glove Stealer bypasses Google’s App-Bound encryption cookie-theft safeguards, which were implemented in Chrome 127 a couple of months ago, to steal credentials from Chromium web browsers.
The attackers employ a mechanism that utilises a supporting module to decrypt and retrieve App-Bound encrypted keys using Chrome’s own COM-based IElevator Windows service (running with SYSTEM capabilities) to accomplish the bypassing process.
Furthermore, the researchers confirmed that the virus can execute these capabilities if it acquires local administrative capabilities on the infected devices. It needs this module in Google Chrome’s Program Files directory and uses it to obtain encrypted keys.
Glove Stealer is still in early development because it uses a standard mechanism that most other information stealers have previously mastered to steal cookies from all Google Chrome versions. Security providers, researchers, and organisations should be wary of this new threat as it shows promising capabilities despite its early development stage.
