Glove Stealer Malware Bypasses Chrome's Encryption to Steal Data

Glove Stealer Malware Bypasses Chrome's App-Bound Encryption to Steal Sensitive Data

Cybersecurity researchers at Gen Digital have identified a new and concerning threat: Glove Stealer, an information-stealing malware capable of bypassing Google Chrome’s App-Bound encryption to extract browser cookies. This discovery emerged from an investigation into a recent phishing campaign, showcasing a concerning new angle in cyberattacks.

Described as “relatively simple” with “minimal obfuscation or protection mechanisms,” Glove Stealer appears to be in its early stages of development. Despite its basic nature, the malware’s capabilities are significant. It uses social engineering tactics that echo those of the ClickFix infection chain, tricking users into installing malware through deceptive error windows in HTML attachments sent via phishing emails.

Capabilities and Threat Vectors Glove Stealer is designed to extract and exfiltrate cookies from Firefox and Chromium-based browsers such as Chrome, Edge, Brave, Yandex, and Opera. Beyond cookies, it can steal cryptocurrency wallets from browser extensions, two-factor authentication (2FA) session tokens from popular apps like Google, Microsoft, Aegis, and LastPass, and password data from password managers like Bitwarden, LastPass, and KeePass. Additionally, it can access email data from mail clients, including Thunderbird.

Malware researcher Jan Rubín noted that Glove Stealer can target a broad range of extensions and applications. “Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” Rubín said, emphasizing that many of these involve cryptocurrency wallets, 2FA authenticators, and email clients.

Bypassing Chrome’s App-Bound Encryption Google’s App-Bound encryption was introduced in Chrome 127 in July 2024 to enhance cookie security. However, Glove Stealer has been observed bypassing this defense using a method detailed by security researcher Alexander Hagenah. This method involves leveraging Chrome’s COM-based IElevator Windows service, which runs with SYSTEM privileges, to decrypt and retrieve encrypted keys. Notably, Glove Stealer must first gain local admin privileges on a targeted system to execute this technique, placing a supporting module in Chrome’s Program Files directory.

Although effective, this method indicates Glove Stealer’s developmental stage. As researcher g0njxa pointed out to BleepingComputer, more advanced info stealers have already surpassed such basic techniques to bypass Chrome’s encryption.

A Growing Threat Landscape Despite requiring admin privileges, which theoretically raises the bar for attackers, the need for elevated access has not significantly reduced the frequency of information-stealing campaigns. Malware analyst Russian Panda commented that Glove Stealer’s bypass method is reminiscent of earlier approaches seen when Google first introduced App-Bound encryption. Google’s response in October acknowledged this, noting, “This code [xaitax’s] requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack.”

Unfortunately, these heightened access requirements have not stemmed the tide of malware campaigns. Since the launch of App-Bound encryption, the volume of info-stealer attacks has only increased. The discovery of Glove Stealer highlights the continuous arms race between cybersecurity defenses and threat actors and underscores the importance of vigilance, robust cybersecurity measures, and updated threat awareness for both individuals and organizations.

Managed you Cybersecurity with testing for Zero Day is critical contact Risk Cognizance to today to bolster your organization security posture with a award-winning GRC Software Platform