Pierluigi Paganini November 16, 2024

The Glove Stealer malware exploits a new technique to bypass Chrome’s App-Bound encryption and steal browser cookies.

Glove Stealer is a .NET-based information stealer that targets browser extensions and locally installed software to steal sensitive data. The malware could harvest a huge trove of data from infected systems, including cookies, autofill, cryptocurrency wallets, 2FA authenticators, password managers, and email client information.

Researchers from Gen Digital who discovered the threat, believe it is in its early development phase. Threat actors relies on social engineering tactics like ClickFix and FakeCaptcha to trick users into executing malicious scripts via PowerShell or Run prompts. Gen Digital observed phishing campaigns distributing the Glove Stealer. The malware bypasses Chrome’s App-Bound Encryption by utilizing the IElevator service, a method that was disclosed in October 2024. The info stealer targets data from browsers, 280 browser extensions, and over 80 applications, including cryptocurrency wallets, 2FA authenticators, password managers, and email clients.

The campaign observed by researchers used a phishing message with an HTML file attachment. The HTML page displayed a fake error message claiming that some content could not be accessed properly and provided instructions for resolving the issue. Users were instructed to copy a malicious script to their clipboard, and upon executing it in a terminal or the Run prompt, their systems became infected.

Upon execution, Glove Stealer pretends to search for system errors while secretly contacting a command-and-control (C&C) server to harvest and exfiltrate data. To extract cookies from Chromium-based browsers, it downloads a module from the C&C to bypass App-Bound encryption. This process requires the malware to gain local administrative privileges, enabling it to place the module in Chrome’s Program Files directory and bypass path validation checks.

“In order to use the stolen data from Chrome, Glove Stealer needs to bypass the App-Bound encryption. To do this, it requests the original server once again to retrieve a .NET payload to do the job. 

This payload is a supporting module, which is rather small, and it is dedicated to bypassing the App-Bound encryption using IElevator service.” reads the report published by Gen Digital.

“Named as zagent.exe, this payload is downloaded and Base64-decoded into Chrome’s Program Files directory: %PROGRAMFILES%\Google\Chrome\Application\zagent.exe 

After execution, the module is using a hardcoded “app_bound_encrypted_key”:” string for searching and retrieving the App-Bound encryption key stored in the local state file: %LOCALAPPDATA%\Google\Chrome\User Data\Local State “

Glove Stealer retrieves the App-Bound encryption key, decodes it to Base64, and stores it in a file named chromekey.txt for its own use. It then connects to the C2 server to confirm a successful bypass (ID=4). Since App-Bound encryption enforces path validation, the supporting module must be placed within Chrome’s Program Files directory, requiring Glove Stealer first to obtain local admin privileges.

More information, including IoCs and the lists of locally installed apps and browser extensions, are available on GitHub. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)