The new Glove Stealer malware can collect browser cookies by getting past Google Chrome’s Application-Bound (App-Bound) encryption. This information-stealing virus is “very simple and contains limited obfuscation or protective features,” suggesting that it is most likely still in its early stages of development, according to Gen Digital security researchers who first discovered it when looking into a recent phishing attempt.
During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails.
Cookies from Firefox and Chromium-based browsers (such as Chrome, Edge, Brave, Yandex, and Opera) can be extracted and exfiltrated by the Glove Stealer.NET virus.
Additionally, it can collect password information from Bitwarden, LastPass, and KeePass, cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, and emails from mail programs like Thunderbird.
“Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” said malware researcher Jan Rubín.
“These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others.”
Glove Stealer bypasses Google’s App-Bound encryption cookie-theft safeguards, which were implemented by Chrome 127 in July, in order to steal credentials from Chromium web browsers. It accomplishes this by employing a supporting module that decrypts and recovers App-Bound encrypted keys using Chrome’s own COM-based IElevator Windows service (running with SYSTEM rights), as outlined by security researcher Alexander Hagenah last month.
To install this module in the Program Files directory of Google Chrome and utilize it to recover encrypted keys, the virus must first obtain local administrator capabilities on the infected PCs.
However, despite its attractive appearance, Glove Stealer is still in its early stages of development since, as researcher g0njxa told BleepingComputer in October, it is a simple technique that most other information thieves have already accomplished to collect cookies from all Google Chrome versions.
Russian Panda, a malware analyst, previously told BleepingComputer that Hagenah’s technique resembles early workarounds used by other viruses following Google’s introduction of Chrome App-Bound encryption.
When Google told BleepingComputer last month that “this code [xaitax’s] requires admin credentials, which shows that we have successfully upped the degree of access required to properly pull off this type of assault,” Unfortunately, the number of active information-stealing malware campaigns has not decreased significantly despite the requirement for administrator access to circumvent App-Bound encryption.
Attacks have only increased since July when Google first implemented App-Bound encryption, targeting potential victims via vulnerable drivers, zero-day vulnerabilities, malvertising, spearphishing, StackOverflow answers, and fake fixes to GitHub issues.
