Glove Stealer bypasses Chrome's App-Bound Encryption to steal cookies

Nov. 18, 2024, 5:33 p.m.

Description

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the IElevator service. The malware is distributed through phishing campaigns and requires administrative privileges to place its module in Chrome's Program Files directory. Once executed, it contacts a command-and-control server to exfiltrate harvested data.

External References

https://www.gendigital.com/blog/insights/research/glove-stealer
https://securityaffairs.com/171034/malware/glove-stealer-bypasses-chromes-app-bound-encryption.html
https://otx.alienvault.com/pulse/67380eff4b589d9ae37a68bd
Tags
malware
phishing
information stealer
2024-11-16
chrome
encryption bypass
glove stealer

Date

  • Created: Nov. 16, 2024, 3:18 a.m.
  • Published: Nov. 16, 2024, 3:18 a.m.
  • Modified: Nov. 18, 2024, 5:33 p.m.

Attack Patterns

  • Glove Stealer
  • T1021.001
  • T1132.001
  • T1555.003
  • T1059.001
  • T1567
  • T1012
  • T1087
  • T1056.001
  • T1555
  • T1071.001
  • T1082
  • T1057
  • T1083