Glove infostealer - A malware that bypass App-Bound encryption

[Jating]

Cyber security spotted on what they call Glove infostealer that bypasses Google Chrome's Application-Bound (App-Bound) encryption and steal the following as it has the capability to extract and exfiltrate cookies.

• Yahoo
• Chrome
• Yandex
• Browser
• Msedge
• Opera
• Brave
• Chromium
• CryptoTab

The cookies, wallets and other possible data are not obtained just from the browsers, but Glove Stealer is using vast lists of predefined locally installed applications and browser extensions, then tries to search for these and exfiltrate valuable data from them. Since the lists are too exhaustive to mention in the text (84 defined locations for the locally installed apps and 280 browser extensions), an interested reader can find these on our GitHub. To name here at least part of the scope, the Glove Stealer focuses on:

• Vast variety of cryptocurrency wallet browser extensions
• 2FA authenticators, including Google Authenticator, Microsoft, Aegis and LastPass, to name a few
• Password managers, including Bitwarden, LastPass and KeePass, to name a few
• Email clients like Thunderbird
• Gaming platforms like Steam and Battle.net

So it includes cryptocurrency wallet browsers, so this is going to be very dangerous to us.

https://www.gendigital.com/blog/news/innovation/glove-stealer

For a detailed list of IOC, you can visit here: https://github.com/avast/ioc/tree/master/GloveStealer

[Kemarit]

That is the scary part, it can bypass this supposedly Google algorithm. That's how fast this cyber criminals on how to reverse engineer a supposedly very good algo by Google itself. In any case, we all know that this is another phishing attempt, so we should be not clicking any links that we have seen in mails, even if we think that we trusted the source.

It's better to just verify everything first so that we will not be falling for this scammers and attack not just our crypto wallet, but they could really take over many of our social media accounts. The best thing here is to educate our selves with this kind of attacks. And this is going to be rampant I guess, as we have seen the Bitcoin is getting closer to 6 digits and so this criminals wanted more of our crypto.

[dkbit98]

Another .exe file malware and another easy fix solution with switching from wind0ws to Linux OS, than you can forget about stuff like this.
However, I noticed scammers are creating more malware for android devices and targeting crypto wallets, so it's better to be careful when clicking any links.

[Yaunfitda]

Another .exe file malware and another easy fix solution with switching from wind0ws to Linux OS, than you can forget about stuff like this.
However, I noticed scammers are creating more malware for android devices and targeting crypto wallets, so it's better to be careful when clicking any links.

Yes, and it seems that every OS is now vulnerable, although Linux OS or any flavored Unix OS is not that easy to penetrate, but still I have read that they've been target for crypto mining, so everyone is still at the crosshair. And as we are in the bull run, phishing attacks are increasing and getting more sophisticated. And they are spreading beyond emails to text messages and other forms of personal communication. Like in this case, it could bypass app-bound encryption. This has been rolled out this year, just a couple of months ago last August and by this time, criminals was able to crack it already.

[joniboini]

although Linux OS or any flavored Unix OS is not that easy to penetrate, but still I have read that they've been target for crypto mining, so everyone is still at the crosshair.

It's still much safer though. If you're referring to malware that uses Linux devices to run a miner, most of them target Linux servers afaik. So the chance that your everyday PC is being targeted for a sophisticated malware campaign is quite low. To be fair regardless of what OS you use you have to be careful and not install/click files randomly. I don't think I saw malware that can magically install and brick your PC as soon as you connect to the internet. Unless we're talking very out-of-date OS. CMIIW.

[TravelMug]

although Linux OS or any flavored Unix OS is not that easy to penetrate, but still I have read that they've been target for crypto mining, so everyone is still at the crosshair.

It's still much safer though. If you're referring to malware that uses Linux devices to run a miner, most of them target Linux servers afaik. So the chance that your everyday PC is being targeted for a sophisticated malware campaign is quite low. To be fair regardless of what OS you use you have to be careful and not install/click files randomly. I don't think I saw malware that can magically install and brick your PC as soon as you connect to the internet. Unless we're talking very out-of-date OS. CMIIW.

The thing though with Unix is that it's not as friendly as Windows OS or let's say IOS that's why we still prefer that old and traditional operating system. So it's better to equipped ourselves with knowledge.

This community has done enough to give warnings to everyone here. So it's really our job and maybe our fault if we are one of those victims. If this is 2017-2018 era, but no, we have move on already. Although there is sophistication in every attack chain, but still it boils down on how we see this kind of attacks.

[Cricktor]

I read the interesting blog article which describes how this info stealer does its work. From what I've seen a victim needs to fail at basic computer security at more than one step.

If you're instructed to copy/paste a Powershell script and run it without understanding what it does, this should be a red flag and avoided in likely almost every case.

If you see script obfuscation, even a simple base64, to hide from you what's going to be executed, skipping execution policies, well that's another big red flag. You must be crazy to still execute something like this.

Another big red flag is that the malware will need elevated rights to copy the Chrome app private data encryption decryption helper executable into Chrome's program folder. If a user has disabled the notification of UAC requests, well... your fault! If it's enabled and you don't become suspicious at this last step, you miserably fail at basic (Windows) computer security.

Educate yourself about computer security and some best practices. You will need it, the outside internet world is cruel.

[tabas]

Self-awareness and being educated on how these attacks work is still the best anti-virus. But, those aware and educated aren't their targets. Like Criktor said, they are targeting those who lack computer knowledge even the basic.

The thing though with Unix is that it's not as friendly as Windows OS or let's say IOS that's why we still prefer that old and traditional operating system. So it's better to equipped ourselves with knowledge.

That's the reason why attacks there are lesser compared to the Windows and MAC users. Because these cons know where the demand is and where most users are staying that they can target.

I don't think I saw malware that can magically install and brick your PC as soon as you connect to the internet.

This is true, others are making it scarier when they're explaining things as if these will self-install without any interaction of the user. If a user unknowingly install and download files that are from unreliable source and mostly from the email attachments that comes from unknown guy, they're at danger.

[Lafu]

Self-awareness and being educated on how these attacks work is still the best anti-virus. But, those aware and educated aren't their targets.
they are targeting those who lack computer knowledge even the basic.

Yeb , its true that self-awareness and being educated to that things is the best Antivirus and protection against this all Malware , Stealer and Shit programs.
Even that they maybe not looking for the experienced Users its still good to know about such things and the Information about it.
Today its just one moment where you have to make an ill-considered click , this happens so many times and also to older Users that aware of all this.

[btc_angela]

Self-awareness and being educated on how these attacks work is still the best anti-virus. But, those aware and educated aren't their targets.
they are targeting those who lack computer knowledge even the basic.

Yeb , its true that self-awareness and being educated to that things is the best Antivirus and protection against this all Malware , Stealer and Shit programs.
Even that they maybe not looking for the experienced Users its still good to know about such things and the Information about it.
Today its just one moment where you have to make an ill-considered click , this happens so many times and also to older Users that aware of all this.

That is true, that one click, that will ruin everything, damn, the feeling of losing your crypto, so it's as what we saw here, education is the best key, or self-awareness. Nothing beats that, if we can channel ourselves to read just the basics on how someone fell for phishing attacks and what to look for.

It will be good enough and then we go and become advance crypto users, and so is our awareness of this kind of attacks. Thanks again OP for bringing this up, maybe others doesn't want to comment here but for sure they have read it loud and clear.

[tabas]

Self-awareness and being educated on how these attacks work is still the best anti-virus. But, those aware and educated aren't their targets.
they are targeting those who lack computer knowledge even the basic.

Yeb , its true that self-awareness and being educated to that things is the best Antivirus and protection against this all Malware , Stealer and Shit programs.
Even that they maybe not looking for the experienced Users its still good to know about such things and the Information about it.
Today its just one moment where you have to make an ill-considered click , this happens so many times and also to older Users that aware of all this.

That's right, even the old users still unnoticing clicks on these bad links. I agree, it's also a good thing to know such things about these bad actors, malware, and everything that these hackers try to inject in all of our devices so that we can avoid them by having these info as a reminder on what must be done to avoid them.