Researchers discovered a new malware running active campaigns in the wild, infecting browsers. Identified as Glove, the malware is primarily an information stealer that exfiltrates stored data from web browsers.
Glove Stealer Malware Targets Web Browsers
Security researcher Jan Rubín shared a detailed technical analysis of a newly discovered malware active in the wild. Identified as “Glove,” the malware is predominantly an information stealer that extracts data from web browsers.
Briefly, the attack begins by tricking users into downloading the malware via phishing. The attackers use techniques similar to ClickFix attacks that involve displaying fake error windows within HTML files in phishing emails.
After the victim user clicks on the malicious attachment, the fake error prompt and instructions to fix it appear. Following those instructions tricks the victim into downloading the malware. Once downloaded, the malware executes on the target devices to connect with the attacker’s C&C server and download the Glove stealer.
This payload, the Glove malware, then starts exfiltrating data from web browsers. It primarily targets Chromium-based browsers, but it can also steal data from other browsers, like Mozilla Firefox.
What’s interesting about this stealer is that it typically bypasses the newly implemented security measure in Google Chrome—the App-Bound Encryption. Google implemented this measure in August this year to prevent cookie theft by info stealers. The process involved validating the decryption request for an app’s identity data to prevent malicious requests.
However, Glove bypasses this workaround by employing an additional .NET payload. As stated in the researcher’s post,
This payload is a supporting module, which is rather small, and it is dedicated to bypassing the App-Bound encryption using IElevator service.
https://master.volt-texs[.]online/postovoy/RANDOM_STRING
Named as zagent.exe, this payload is downloaded and Base64-decoded into Chrome’s Program Files directory: %PROGRAMFILES%\Google\Chrome\Application\zagent.exe
After execution, the module is using a hardcoded “app_bound_encrypted_key”:” string for searching and retrieving the App-Bound encryption key stored in the local state file: %LOCALAPPDATA%\Google\Chrome\User Data\Local State
With this workaround, Glove appears to be potent information-stealing malware capable of exfiltrating sensitive data such as passwords and crypto wallets from web browsers.
Thus, once again, the onus of preventing such threats falls on the end-users, who can always avoid such attacks by staying vigilant against unsolicited communications. The more users stay aware of phishing emails and messages, the better they can protect their devices.
Let us know your thoughts in the comments.
