CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Glove Stealer Malware Bypasses Chrome’s App-Bound Encryption

The Glove Stealer malware leverages a recently disclosed App-Bound encryption bypass method in attacks.

A newly identified information stealer can bypass the App-Bound Encryption mechanism in Chromium-based browsers, cybersecurity software provider Gen Digital reports.

Written in .NET and dubbed Glove Stealer, the malware targets multiple browsers and extensions to exfiltrate sensitive information such as cookies and credentials, along with data from cryptocurrency wallets, authenticators, password managers, email clients, and other applications.

What makes Glove Stealer stand out from the crowd, however, is its ability to bypass Application-Bound (App-Bound) Encryption, the cookie protection mechanism that was introduced in Chrome 127 to prevent their theft.

The bypass method, which was disclosed roughly two weeks ago, relies on the internal COM-based IElevator service that is unique to each browser to harvest and decrypt the necessary keys.

Chromium browsers such as Edge, Brave, and Chrome itself are susceptible to the bypass, but Glove Stealer targets data stored in other browsers as well, including Opera, Yandex, and CryptoTab.

“Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” Gen notes.

The information stealer is distributed via phishing emails containing an HTML attachment that, when opened, displays fake error messages claiming that content could not be rendered properly and providing instructions on how the user can allegedly fix the problem.

The unsuspecting victim is instructed to copy a malicious script and execute it in a terminal or Run prompt. The script invokes a PowerShell command, followed by the execution of several scripts, and eventually the infostealer infection.

Advertisement. Scroll to continue reading.

Once executed, Glove Stealer iterates through the initial narrative, claiming to be searching the system for errors. In the background, however, it contacts a command-and-control (C&C) server and begins its data harvesting and exfiltration routine.

To exfiltrate cookies from Chromium-based browsers, the malware fetches an additional module from the C&C, which starts searching for the App-Bound encryption key, to bypass the protection.

To use the module, Glove Stealer first obtains local administrative privileges that allow it to place the module in Chrome’s Program Files directory and bypass the browser’s path validation checks.

Related: ‘SteelFox’ Miner and Information Stealer Bundle Emerges

Related: Latrodectus Malware Increasingly Used by Cybercriminals

Related: Cryptocurrency Stealer Delivered From Official Monero Website

Related: ‘Frebniis’ Malware Hijacks Microsoft IIS Function to Deploy Backdoor

Related: Malware’s Destruction Trajectory and How to Defeat It

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.