A newly identified information stealer can bypass the App-Bound Encryption mechanism in Chromium-based browsers, cybersecurity software provider Gen Digital reports.
Written in .NET and dubbed Glove Stealer, the malware targets multiple browsers and extensions to exfiltrate sensitive information such as cookies and credentials, along with data from cryptocurrency wallets, authenticators, password managers, email clients, and other applications.
What makes Glove Stealer stand out from the crowd, however, is its ability to bypass Application-Bound (App-Bound) Encryption, the cookie protection mechanism that was introduced in Chrome 127 to prevent their theft.
The bypass method, which was disclosed roughly two weeks ago, relies on the internal COM-based IElevator service that is unique to each browser to harvest and decrypt the necessary keys.
Chromium browsers such as Edge, Brave, and Chrome itself are susceptible to the bypass, but Glove Stealer targets data stored in other browsers as well, including Opera, Yandex, and CryptoTab.
“Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” Gen notes.
The information stealer is distributed via phishing emails containing an HTML attachment that, when opened, displays fake error messages claiming that content could not be rendered properly and providing instructions on how the user can allegedly fix the problem.
The unsuspecting victim is instructed to copy a malicious script and execute it in a terminal or Run prompt. The script invokes a PowerShell command, followed by the execution of several scripts, and eventually the infostealer infection.
Once executed, Glove Stealer iterates through the initial narrative, claiming to be searching the system for errors. In the background, however, it contacts a command-and-control (C&C) server and begins its data harvesting and exfiltration routine.
To exfiltrate cookies from Chromium-based browsers, the malware fetches an additional module from the C&C, which starts searching for the App-Bound encryption key, to bypass the protection.
To use the module, Glove Stealer first obtains local administrative privileges that allow it to place the module in Chrome’s Program Files directory and bypass the browser’s path validation checks.
Related: ‘SteelFox’ Miner and Information Stealer Bundle Emerges
Related: Latrodectus Malware Increasingly Used by Cybercriminals
Related: Cryptocurrency Stealer Delivered From Official Monero Website
Related: ‘Frebniis’ Malware Hijacks Microsoft IIS Function to Deploy Backdoor
Related: Malware’s Destruction Trajectory and How to Defeat It
