www.gendigital.com Open in urlscan Pro
2620:1ec:29:1::40  Public Scan

Submitted URL: https://gendigital.com/blog/insights/research/glove-stealer
Effective URL: https://www.gendigital.com/blog/insights/research/glove-stealer
Submission: On November 20 via api from DE — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

Blog

HomeNewsInsightsPeople & Impact

Search
 1. Blog Home
    
 2. Insights
    
 3. Research
    
 4. Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal
    Sensitive Data

Research


GLOVE STEALER: LEVERAGING IELEVATOR TO BYPASS APP-BOUND ENCRYPTION & STEAL
SENSITIVE DATA

A .NET malware, bypasses Chrome's App-Bound Encryption, stealing data from
browsers, crypto wallets, 2FA authenticators
Jan Rubín
Senior Malware Researcher
Published
November 13, 2024

Read time
13 Minutes
Written by
Jan Rubín
Senior Malware Researcher

Published
November 13, 2024

Read time
13 Minutes

In this article
 * Key points: 
 * Introduction 
 * Technical analysis 
 * Distribution 
 * Putting the gloves on to bypass and steal 
 * The exfiltration and data structure 
 * Supporting module for App-Bound encryption bypass 
 * Conclusion 
 * Indicators of Compromise (IoCs) 

Share this article



KEY POINTS: 

 * Glove Stealer is an information stealer written in .NET, stealing sensitive
   data from wide range of browser extensions as well as locally installed
   software 
 * It focuses on browser data (cookies, autofill, …), cryptocurrency wallets,
   2FA authenticators, password managers, email clients, and more 
 * Glove Stealer uses a dedicated supporting module to bypass App-Bound
   encryption by using IElevator service 
 * While observed being spread via phishing emails resembling ClickFix, it
   itself also tries to mimic a fixing tool which users might use during
   troubleshooting problems they might have encountered 


INTRODUCTION 

We’ve been closely observing various social engineering tactics, such as
ClickFix and FakeCaptcha, for quite some time now. Tactics like these deceive
users into thinking they are helping themselves, but by following the
instructions from the attackers, they are actually inadvertently infecting their
own devices. The steps the users are led to take commonly involve copying a
malicious script that’s typically copied on background without user noticing.
The instructions then prompt the user to paste and execute it via a PowerShell
terminal or a Run prompt on Windows, displayed by a Win+R key combination. 

In a recent campaign using traditional phishing emails, we observed these
scripts to distribute an interesting information stealer written in .NET, which
we’ve named Glove. 

The stealer is relatively simple and contains minimal obfuscation or protection
mechanisms, indicating it might still be in an early development phase. However,
it uses a recent method to bypass App-Bound Encryption which was introduced by
Google in Chrome 127. This bypass method involves using an IElevator service and
was publicly disclosed by Alexander Hagenah on Oct. 27, 2024. 

Other than stealing private data from browsers, it also tries to exfiltrate
sensitive information from a list of 280 browser extensions and more than 80
locally installed applications. These extensions and applications typically
involve cryptocurrency wallets, 2FA authenticators, password managers, email
clients and others. 


TECHNICAL ANALYSIS 


DISTRIBUTION 

Even though ClickFix can take many forms, including inserting the crafted fake
error messages into compromised websites or attacker-hosted pages, this campaign
started with a user receiving a phishing email. Along with the e-mail, typically
an attachment is present in HTML format. An HTML page like this contains typical
ClickFix motives, showing a crafted fake error message stating that some content
couldn’t be accessed properly, then advising the user how to fix it. By
following the instructions, the user copies a malicious script to their
clipboard and, after executing it in a terminal or the Run prompt, they
unintentionally infect their own system. Below is an example of such an HTML
page displayed when the user opens the attachment. 

Example ClickFix HTML page being distributed in phishing email attachments

Under the hood, the script copied and executed by the user invokes a PowerShell
command encoded by Base64. However, as is common in these campaigns, it’s
followed by a couple of consecutive intermediary scripts. 

Initial script (truncated) invoking a powershell.exe to execute additional
stages

After going through additional intermediary scripts, we get to a point where the
script is calling and displaying an additional message to the user: 



Following the messaging of the OneDrive example above, it attempts to appear as
it should, as if it is fixing the DNS configuration. However, this is false, as
there is no issue to begin with—the problem was artificially introduced to the
user. The malicious script is contacting the attacker’s C&C server to obtain
Glove Stealer, ultimately leading the user’s device to become infected. 

In this specific case, the script downloads the Glove Stealer from this address
below: 

https://master.volt-texs[.]online/api/c4slhp3l 

The payload is downloaded from the server as a text from the HTML page, and an
analyst’s eye can immediately recognize the beginning of a PE file, just Base64
encoded. 

Base64 encoded Glove Stealer present on a C&C server


PUTTING THE GLOVES ON TO BYPASS AND STEAL 

Naturally, this payload gets decoded and executed. Upon execution, Glove Stealer
follows the whole narrative of ClickFix once again by displaying a terminal
window with a text “Wait Search problems…”. 

Main function of Glove Stealer, first writing a text into a console window in
attempt to look legitimate

Along with the authors likely lacking some English skills, the “o” in the word
“problems” is also a homoglyph, which is a character that looks the same (or
almost identical) to an original one, yet with a different binary
representation. However, this might not get properly interpreted in some
terminal or environment configurations, as can be seen in our testing
environment below. 

Wrongly displayed homoglyph in the word “problem”

The malware then pings another C&C server, using a randomly generated string (a
limited set of upper-cased letters and numbers) in the path, with the ID set to
0 to indicate it was successfully executed on the victim’s infected device: 

https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOM_STRING?id=0 

This address is used multiple times during the malware execution to indicate
successfully passing certain stages and submitting other data, such as
encryption keys. For example, with an ID set to 1, it indicates that the initial
malware configuration is set properly on the device. 

Before the data exfiltration takes place, Glove Stealer terminates any (browser)
processes which contain any of the substrings mentioned below in the process
name: 

 * chrome 
 * yandex 
 * browser 
 * msedge 
 * opera 
 * brave 
 * chromium 
 * CryptoTab 

This is also being done in an infinite loop every 55 milliseconds and the
malware steals data from other browsers, like Firefox. 


THE EXFILTRATION AND DATA STRUCTURE 

Glove Stealer parses and stores the information obtained from browsers into
dedicated text files stored in the following directory structure: 

 * \AllPws.txt 
 * \INFS.txt 
 * \Cookies\ 
 * \Autofill\ 
 * \Restore\ 
 * \OTP\ 
 * \Wallets\ 

All folders and files used to store the stolen data are prefixed with a path
that represents a directory that contains the user's most recently used
documents (via Environment.SpecialFolder.Recent), followed by an MD5 hash of
from the combination of computer’s name and a SerialNumber of the device’s disk
drive. 

The files stored in the folders which contain the stolen data from browser are
labeled with the browser name and a possible postfix. For example, in case of
cookies, this postfix would be the name of the exfiltrated browser profile
(Default, Profile 1, Profile 2, …). As an example, the location and the name for
Chrome cookies could be stored as follows: 

%APPDATA%\Microsoft\Windows\Recent\MD5_HASH\Cookies\Chrome_Default.txt 

The file INFS.txt contains a fingerprint of the device, including details like
the OS, computer and username, maximum available RAM, language, CPU information
and more. The remaining files stored in the dedicated directories don’t deviate
from the used folder names and file names mentioned above. 

The cookies, wallets and other possible data are not obtained just from the
browsers, but Glove Stealer is using vast lists of predefined locally installed
applications and browser extensions, then tries to search for these and
exfiltrate valuable data from them. Since the lists are too exhaustive to
mention in the text (84 defined locations for the locally installed apps and 280
browser extensions), an interested reader can find these on our GitHub. To name
here at least part of the scope, the Glove Stealer focuses on: 

 * Vast variety of cryptocurrency wallet browser extensions 
 * 2FA authenticators, including Google Authenticator, Microsoft, Aegis and
   LastPass, to name a few 
 * Password managers, including Bitwarden, LastPass and KeePass, to name a few 
 * Email clients like Thunderbird 
 * Gaming platforms like Steam and Battle.net 

Data in which the stealer is interested in can be represented by searching for
this list (not exhaustive) of files and locations for each of the app: 

 * \Network\Cookies 
 * \Login Data 
 * \Web Data 
 * \Local Extension Settings 
 * \Sync Extension Settings 
 * \Local State 
 * \LocalPrefs.json 

After the stealer is finished with data harvesting, the entire directory
structure is then packed using FileZip and encrypted by 3DES in ECB mode and
sent to a C&C server. The key for the 3DES cipher is generated on the fly as a
string value represented by DateTime.Now.Ticks string hashed using MD5. 

The ZIP file, representing the exfiltration package, is stored in the Recent
directory with the name of MD5_HASH.xexe (the hash is still the computer’s name
+ SerialNumber). Immediately after it is encrypted using 3DES, it is renamed to
MD5_HASHXE, where XE is an appended substring. 

To be able to decrypt the package, the attackers are sending this key in
parameters using the ping C&C server once again. For this, the ID parameter is
set to 2 and the MD5 hash used as 3DES key immediately follows: 

https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOM_STRING?id=2&ids=MD5_key 

However, the exfiltrated package is sent to the other C&C server as a POST
request, with the data encoded by Base64: 

https://master.volt-texs[.]online/index2.php 

For the attackers to stay safe from losing the key, they also back-up the 3DES
key here as well, using the non-hashed timestamp in the POST request. 


SUPPORTING MODULE FOR APP-BOUND ENCRYPTION BYPASS 

In order to use the stolen data from Chrome, Glove Stealer needs to bypass the
App-Bound encryption. To do this, it requests the original server once again to
retrieve a .NET payload to do the job. 

This payload is a supporting module, which is rather small, and it is dedicated
to bypassing the App-Bound encryption using IElevator service. 

https://master.volt-texs[.]online/postovoy/RANDOM_STRING 

Named as zagent.exe, this payload is downloaded and Base64-decoded into Chrome’s
Program Files directory: %PROGRAMFILES%\Google\Chrome\Application\zagent.exe 

After execution, the module is using a hardcoded "app_bound_encrypted_key":"
string for searching and retrieving the App-Bound encryption key stored in the
local state file: %LOCALAPPDATA%\Google\Chrome\User Data\Local State 

 

Part of a function that tries to obtain otherwise App-Bound protected Chrome key
used for decryption of private data

After the key is retrieved, it is Base64-decoded and stored in a dedicated file
called chromekey.txt so it can be also accessed by Glove Stealer itself. After
that, the C&C server is pinged to indicate the bypass was successful (ID=4). 

Note that, since App-Bound encryption also performs a path validation for the
location of the caller processes, this supporting module must be placed in the
Chrome’s Program Files directory tree. As a result, Glove Stealer needs to
acquire local admin privileges first to use this supporting module. 


CONCLUSION 

In this analysis, we described Glove Stealer, an information stealer observed in
recent phishing campaigns that leverage social engineering tactics, such as
ClickFix. In these tactics, the attackers aim to trick users into thinking they
are helping themselves, when in reality, they are inadvertently infecting their
devices by following the instructions provided by the attackers. 

Glove Stealer is capable of stealing various kind of information from many
browsers, including Chrome, Firefox, Edge, Brave and others. To achieve this,
Glove Stealer uses a dedicated supporting module that leverages IElevator
service to bypass App-Bound encryption. Additionally, it steals sensitive data
from two extensive lists: one representing locally installed applications and
the other representing browser extensions. These include cryptocurrency wallets
extensions, 2FA authenticators, password managers, email clients and more. 


INDICATORS OF COMPROMISE (IOCS) 

For more detailed list of IoCs, including the lists of locally installed apps
and browser extensions, please visit our GitHub. 

Original script copied in clipboard: 
2bf6fab237ab58ae6cfe78f9a61ab6dcaf55f437cb7a77878e2e6aae3b208e80 

Glove Stealer 

56da496329d54587c31119d8878a7831a9814a92839aa6a9873ceeb91575b11a 

Supporting module for App-Bound encryption bypass: 

86ad4082e086a0b9a22dc91a16d0d9be38232975ab4d3d035224fb6d6cc7a44c 

C&C 

master.hdsjfkgsadoghdsiougds[.]space 

master.volt-texs[.]online 

Jan Rubín
Senior Malware Researcher


Follow us for more



Blog Archive

Technology solutions for the next generation of digital life.


ABOUT GEN

Gen (NASDAQ: GEN) is a global company dedicated to powering Digital Freedom
through its trusted Cyber Safety brands, Norton, Avast, LifeLock, Avira, AVG,
ReputationDefender and CCleaner. Our solutions protect over 500 million users in
150+ countries.

Our Story


JOIN OUR TEAM

We're always looking for smart, fearless and dedicated people to join Gen. Our
global workforce has dual headquarters in Prague, Czech Republic and Tempe,
Arizona, USA. Ready to help today’s and tomorrow’s generations take control of
their digital lives?

Join our Team

FOOTER - MAIN

 * Legal
 * Procurement
 * License Agreement
 * Privacy Center
 * Cookie Policy
 * Accessibility
 * Privacy Settings

FOOTER - SECONDARY

 * 
 * 
 * 
 * 
 * 
 * 
 * 

Copyright © Gen Digital Inc. All rights reserved. NortonLifeLock, the
NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo
are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates
in the United States and other countries. Other names may be trademarks of their
respective owners.

FOOTER - SOCIAL

 * 
 * 
 *