Research

Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data

A .NET malware, bypasses Chrome's App-Bound Encryption, stealing data from browsers, crypto wallets, 2FA authenticators
Jan Rubín
Senior Malware Researcher
Published
November 13, 2024
Read time
13 Minutes
Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data
Written by
Jan Rubín
Senior Malware Researcher
Published
November 13, 2024
Read time
13 Minutes
Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data
    Share this article

    Key points: 

    • Glove Stealer is an information stealer written in .NET, stealing sensitive data from wide range of browser extensions as well as locally installed software 
    • It focuses on browser data (cookies, autofill, …), cryptocurrency wallets, 2FA authenticators, password managers, email clients, and more 
    • Glove Stealer uses a dedicated supporting module to bypass App-Bound encryption by using IElevator service 
    • While observed being spread via phishing emails resembling ClickFix, it itself also tries to mimic a fixing tool which users might use during troubleshooting problems they might have encountered 

    Introduction 

    We’ve been closely observing various social engineering tactics, such as ClickFix and FakeCaptcha, for quite some time now. Tactics like these deceive users into thinking they are helping themselves, but by following the instructions from the attackers, they are actually inadvertently infecting their own devices. The steps the users are led to take commonly involve copying a malicious script that’s typically copied on background without user noticing. The instructions then prompt the user to paste and execute it via a PowerShell terminal or a Run prompt on Windows, displayed by a Win+R key combination. 

    In a recent campaign using traditional phishing emails, we observed these scripts to distribute an interesting information stealer written in .NET, which we’ve named Glove. 

    The stealer is relatively simple and contains minimal obfuscation or protection mechanisms, indicating it might still be in an early development phase. However, it uses a recent method to bypass App-Bound Encryption which was introduced by Google in Chrome 127. This bypass method involves using an IElevator service and was publicly disclosed by Alexander Hagenah on Oct. 27, 2024. 

    Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications. These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others. 

    Technical analysis 

    Distribution 

    Even though ClickFix can take many forms, including inserting the crafted fake error messages into compromised websites or attacker-hosted pages, this campaign started with a user receiving a phishing email. Along with the e-mail, typically an attachment is present in HTML format. An HTML page like this contains typical ClickFix motives, showing a crafted fake error message stating that some content couldn’t be accessed properly, then advising the user how to fix it. By following the instructions, the user copies a malicious script to their clipboard and, after executing it in a terminal or the Run prompt, they unintentionally infect their own system. Below is an example of such an HTML page displayed when the user opens the attachment. 

    Example ClickFix HTML page being distributed in phishing email attachments
    Example ClickFix HTML page being distributed in phishing email attachments

    Under the hood, the script copied and executed by the user invokes a PowerShell command encoded by Base64. However, as is common in these campaigns, it’s followed by a couple of consecutive intermediary scripts. 

    Initial script (truncated) invoking a powershell.exe to execute additional stages
    Initial script (truncated) invoking a powershell.exe to execute additional stages

    After going through additional intermediary scripts, we get to a point where the script is calling and displaying an additional message to the user: 

    Following the messaging of the OneDrive example above, it attempts to appear as it should, as if it is fixing the DNS configuration. However, this is false, as there is no issue to begin with—the problem was artificially introduced to the user. The malicious script is contacting the attacker’s C&C server to obtain Glove Stealer, ultimately leading the user’s device to become infected. 

    In this specific case, the script downloads the Glove Stealer from this address below: 

    https://master.volt-texs[.]online/api/c4slhp3l 

    The payload is downloaded from the server as a text from the HTML page, and an analyst’s eye can immediately recognize the beginning of a PE file, just Base64 encoded. 

    Base64 encoded Glove Stealer present on a C&C server
    Base64 encoded Glove Stealer present on a C&C server

    Putting the gloves on to bypass and steal 

    Naturally, this payload gets decoded and executed. Upon execution, Glove Stealer follows the whole narrative of ClickFix once again by displaying a terminal window with a text “Wait Search problems…”. 

    Main function of Glove Stealer, first writing a text into a console window in attempt to look legitimate
    Main function of Glove Stealer, first writing a text into a console window in attempt to look legitimate

    Along with the authors likely lacking some English skills, the “o” in the word “problems” is also a homoglyph, which is a character that looks the same (or almost identical) to an original one, yet with a different binary representation. However, this might not get properly interpreted in some terminal or environment configurations, as can be seen in our testing environment below. 

    Wrongly displayed homoglyph in the word “problem”
    Wrongly displayed homoglyph in the word “problem”

    The malware then pings another C&C server, using a randomly generated string (a limited set of upper-cased letters and numbers) in the path, with the ID set to 0 to indicate it was successfully executed on the victim’s infected device: 

    https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOM_STRING?id=0 

    This address is used multiple times during the malware execution to indicate successfully passing certain stages and submitting other data, such as encryption keys. For example, with an ID set to 1, it indicates that the initial malware configuration is set properly on the device. 

    Before the data exfiltration takes place, Glove Stealer terminates any (browser) processes which contain any of the substrings mentioned below in the process name: 

    • chrome 
    • yandex 
    • browser 
    • msedge 
    • opera 
    • brave 
    • chromium 
    • CryptoTab 

    This is also being done in an infinite loop every 55 milliseconds and the malware steals data from other browsers, like Firefox. 

    The exfiltration and data structure 

    Glove Stealer parses and stores the information obtained from browsers into dedicated text files stored in the following directory structure: 

    • \AllPws.txt 
    • \INFS.txt 
    • \Cookies\ 
    • \Autofill\ 
    • \Restore\ 
    • \OTP\ 
    • \Wallets\ 

    All folders and files used to store the stolen data are prefixed with a path that represents a directory that contains the user's most recently used documents (via Environment.SpecialFolder.Recent), followed by an MD5 hash of from the combination of computer’s name and a SerialNumber of the device’s disk drive. 

    The files stored in the folders which contain the stolen data from browser are labeled with the browser name and a possible postfix. For example, in case of cookies, this postfix would be the name of the exfiltrated browser profile (Default, Profile 1, Profile 2, …). As an example, the location and the name for Chrome cookies could be stored as follows: 

    %APPDATA%\Microsoft\Windows\Recent\MD5_HASH\Cookies\Chrome_Default.txt 

    The file INFS.txt contains a fingerprint of the device, including details like the OS, computer and username, maximum available RAM, language, CPU information and more. The remaining files stored in the dedicated directories don’t deviate from the used folder names and file names mentioned above. 

    The cookies, wallets and other possible data are not obtained just from the browsers, but Glove Stealer is using vast lists of predefined locally installed applications and browser extensions, then tries to search for these and exfiltrate valuable data from them. Since the lists are too exhaustive to mention in the text (84 defined locations for the locally installed apps and 280 browser extensions), an interested reader can find these on our GitHub. To name here at least part of the scope, the Glove Stealer focuses on: 

    • Vast variety of cryptocurrency wallet browser extensions 
    • 2FA authenticators, including Google Authenticator, Microsoft, Aegis and LastPass, to name a few 
    • Password managers, including Bitwarden, LastPass and KeePass, to name a few 
    • Email clients like Thunderbird 
    • Gaming platforms like Steam and Battle.net 

    Data in which the stealer is interested in can be represented by searching for this list (not exhaustive) of files and locations for each of the app: 

    • \Network\Cookies 
    • \Login Data 
    • \Web Data 
    • \Local Extension Settings 
    • \Sync Extension Settings 
    • \Local State 
    • \LocalPrefs.json 

    After the stealer is finished with data harvesting, the entire directory structure is then packed using FileZip and encrypted by 3DES in ECB mode and sent to a C&C server. The key for the 3DES cipher is generated on the fly as a string value represented by DateTime.Now.Ticks string hashed using MD5. 

    The ZIP file, representing the exfiltration package, is stored in the Recent directory with the name of MD5_HASH.xexe (the hash is still the computer’s name + SerialNumber). Immediately after it is encrypted using 3DES, it is renamed to MD5_HASHXE, where XE is an appended substring. 

    To be able to decrypt the package, the attackers are sending this key in parameters using the ping C&C server once again. For this, the ID parameter is set to 2 and the MD5 hash used as 3DES key immediately follows: 

    https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOM_STRING?id=2&ids=MD5_key 

    However, the exfiltrated package is sent to the other C&C server as a POST request, with the data encoded by Base64: 

    https://master.volt-texs[.]online/index2.php 

    For the attackers to stay safe from losing the key, they also back-up the 3DES key here as well, using the non-hashed timestamp in the POST request. 

    Supporting module for App-Bound encryption bypass 

    In order to use the stolen data from Chrome, Glove Stealer needs to bypass the App-Bound encryption. To do this, it requests the original server once again to retrieve a .NET payload to do the job. 

    This payload is a supporting module, which is rather small, and it is dedicated to bypassing the App-Bound encryption using IElevator service. 

    https://master.volt-texs[.]online/postovoy/RANDOM_STRING 

    Named as zagent.exe, this payload is downloaded and Base64-decoded into Chrome’s Program Files directory: %PROGRAMFILES%\Google\Chrome\Application\zagent.exe 

    After execution, the module is using a hardcoded "app_bound_encrypted_key":" string for searching and retrieving the App-Bound encryption key stored in the local state file: %LOCALAPPDATA%\Google\Chrome\User Data\Local State 

     

    Part of a function that tries to obtain otherwise App-Bound protected Chrome key used for decryption of private data
    Part of a function that tries to obtain otherwise App-Bound protected Chrome key used for decryption of private data

    After the key is retrieved, it is Base64-decoded and stored in a dedicated file called chromekey.txt so it can be also accessed by Glove Stealer itself. After that, the C&C server is pinged to indicate the bypass was successful (ID=4). 

    Note that, since App-Bound encryption also performs a path validation for the location of the caller processes, this supporting module must be placed in the Chrome’s Program Files directory tree. As a result, Glove Stealer needs to acquire local admin privileges first to use this supporting module. 

    Conclusion 

    In this analysis, we described Glove Stealer, an information stealer observed in recent phishing campaigns that leverage social engineering tactics, such as ClickFix. In these tactics, the attackers aim to trick users into thinking they are helping themselves, when in reality, they are inadvertently infecting their devices by following the instructions provided by the attackers. 

    Glove Stealer is capable of stealing various kind of information from many browsers, including Chrome, Firefox, Edge, Brave and others. To achieve this, Glove Stealer uses a dedicated supporting module that leverages IElevator service to bypass App-Bound encryption. Additionally, it steals sensitive data from two extensive lists: one representing locally installed applications and the other representing browser extensions. These include cryptocurrency wallets extensions, 2FA authenticators, password managers, email clients and more. 

    Indicators of Compromise (IoCs) 

    For more detailed list of IoCs, including the lists of locally installed apps and browser extensions, please visit our GitHub

    Original script copied in clipboard: 
    2bf6fab237ab58ae6cfe78f9a61ab6dcaf55f437cb7a77878e2e6aae3b208e80 

    Glove Stealer 

    56da496329d54587c31119d8878a7831a9814a92839aa6a9873ceeb91575b11a 

    Supporting module for App-Bound encryption bypass: 

    86ad4082e086a0b9a22dc91a16d0d9be38232975ab4d3d035224fb6d6cc7a44c 

    C&C 

    master.hdsjfkgsadoghdsiougds[.]space 

    master.volt-texs[.]online 

    Jan Rubín
    Senior Malware Researcher
    Follow us for more