Ethical Hacking News
Glove Stealer, a new information-stealing malware, has been discovered by security researchers for its ability to bypass Google Chrome's Application-Bound encryption and steal sensitive browser cookies. This threat highlights the ongoing evolution of cybersecurity risks and underscores the importance of staying vigilant against emerging threats.
Glove Stealer is a new information-stealing malware that can bypass Google Chrome's Application-Bound (App-Bound) encryption. The malware operates using social engineering tactics, tricking users into installing malware by downloading fake error windows displayed within HTML files attached to phishing emails. Glove Stealer is capable of extracting and exfiltrating cookies from multiple browsers, including Chrome, Firefox, and Chromium-based browsers. The malware also steals cryptocurrency wallets, 2FA session tokens, password data, and emails from various applications. Glove Stealer uses a supporting module to bypass Chrome's App-Bound encryption cookie-theft defenses introduced by Chrome 127 in July. Although impressive on paper, Glove Stealer is still in its early development stages due to its reliance on an older bypass approach. The fact that attacks have increased since July suggests that information-stealing malware campaigns continue to evolve and adapt despite new security measures.
The cybersecurity landscape is constantly evolving, with new threats emerging every day. In recent times, a new information-stealing malware, dubbed "Glove Stealer," has gained attention for its ability to bypass Google Chrome's Application-Bound (App-Bound) encryption, allowing it to steal browser cookies and other sensitive data.
Gen Digital security researchers were the first to discover this malicious software while investigating a recent phishing campaign. According to the researchers, Glove Stealer is "relatively simple" and contains minimal obfuscation or protection mechanisms, indicating that it's likely in its early development stages.
The malware operates using social engineering tactics similar to those used in the ClickFix infection chain, where potential victims are tricked into installing malware by downloading fake error windows displayed within HTML files attached to phishing emails. This is an example of how attackers can trick users into falling victim to malware without requiring them to directly download anything from a malicious website.
Glove Stealer is capable of extracting and exfiltrating cookies from Firefox and Chromium-based browsers, including Chrome, Edge, Brave, Yandex, Opera. Moreover, it has the ability to steal cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, password data from Bitwarden, LastPass, and KeePass, as well as emails from mail clients like Thunderbird.
In addition to these capabilities, Glove Stealer also attempts to exfiltrate sensitive information from a list of 280 browser extensions and over 80 locally installed applications. These applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients, and others.
To bypass Chrome's App-Bound encryption cookie-theft defenses introduced by Chrome 127 in July, Glove Stealer uses a supporting module that utilizes Chrome's own COM-based IElevator Windows service (running with SYSTEM privileges) to decrypt and retrieve encrypted keys. However, this requires initial access on the compromised system to place the module in Google Chrome's Program Files directory.
Although impressive on paper, this method indicates Glove Stealer is still in its early development stages. This is because most other info stealers have already surpassed this method for stealing cookies from all Google Chrome versions.
Malware analyst Russian Panda previously stated that Hagenah's method looks similar to early bypass approaches taken by malware after Google first implemented Chrome App-Bound encryption.
It appears that multiple infostealer malware operations are now capable of bypassing the new security feature, allowing their customers to steal and decrypt Google Chrome cookies. The fact that attacks have increased since July when Google introduced App-Bound encryption suggests that despite this new security measure, information-stealing malware campaigns continue to evolve and adapt.
Attacks now target potential victims via vulnerable drivers, zero-day vulnerabilities, malvertising, spearphishing, StackOverflow answers, and fake fixes to GitHub issues. The ongoing nature of these threats highlights the importance of staying vigilant against evolving cybersecurity risks.
In conclusion, Glove Stealer represents a significant threat to Chrome users due to its ability to bypass encryption and steal sensitive data. As with any new malware, awareness is key to preventing infections and protecting personal data from falling into the wrong hands.
Related Information:
https://www.bleepingcomputer.com/news/security/new-glove-infostealer-malware-bypasses-google-chromes-cookie-encryption/
Published: Thu Nov 14 15:43:11 2024 by llama3.2 3B Q4_K_M
