Threat Research

Glove Stealer: Utilizing IElevator to Circumvent App Encryption and Access Sensitive Information

Securonix

Summary:

Glove Stealer is a .NET-based information stealer that targets sensitive data from various browser extensions and locally installed software. It employs social engineering tactics, such as phishing emails, to trick users into executing malicious scripts, ultimately leading to data exfiltration from browsers and applications.

Keypoints:

  • Glove Stealer is an information stealer written in .NET.
  • It targets sensitive data from browser extensions and locally installed software.
  • Focus areas include browser data, cryptocurrency wallets, 2FA authenticators, password managers, and email clients.
  • Utilizes a supporting module to bypass App-Bound encryption using the IElevator service.
  • Spread via phishing emails resembling ClickFix, tricking users into executing malicious scripts.
  • The malware is relatively simple with minimal obfuscation, indicating it may still be in early development.
  • It exfiltrates data from 280 browser extensions and over 80 locally installed applications.
  • Data is stored in a structured directory format, including files for cookies, autofill, and wallets.
  • Employs a dedicated module to bypass App-Bound encryption for Chrome data access.
  • Indicators of Compromise (IoCs) include specific file hashes and C&C server addresses.

    • MITRE Techniques

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Exploitation for Client Execution (T1203): Exploits user interaction with malicious content to execute scripts.
  • Data Encrypted (T1041): Encrypts stolen data before exfiltration to obfuscate the information.
  • Credential Dumping (T1003): Extracts credentials from browsers and applications.
  • Application Layer Protocol (T1071.001): Uses application layer protocols for command and control communications.

    • IoC:

  • [File Hash] 2bf6fab237ab58ae6cfe78f9a61ab6dcaf55f437cb7a77878e2e6aae3b208e80
  • [File Hash] 56da496329d54587c31119d8878a7831a9814a92839aa6a9873ceeb91575b11a
  • [File Hash] 86ad4082e086a0b9a22dc91a16d0d9be38232975ab4d3d035224fb6d6cc7a44c
  • [Domain] master.hdsjfkgsadoghdsiougds[.]space
  • [Domain] master.volt-texs[.]online

    • Full Research: https://www.gendigital.com/blog/news/innovation/glove-stealer

    Tags: SOCIAL ENGINEERING, BROWSER, EMAIL, full, PHISHING, EXFILTRATION, PASSWORD, CREDENTIAL