Cybersecurity researchers have uncovered a new malware strain named Glove Stealer, capable of bypassing Google Chrome’s App-Bound encryption to exfiltrate browser cookies and sensitive data. Identified by Gen Digital, this malware appears to be in its early development stages, with minimal obfuscation or protection mechanisms.
Phishing Campaigns and Attack Chain
The malware was spotted during an investigation into phishing campaigns that leverage social engineering tactics similar to the ClickFix infection chain. In these campaigns, victims are tricked into installing malware via fake error messages embedded in HTML files attached to phishing emails.
ClickFix HTML attachment sample (Gen Digital)
Once installed, Glove Stealer is designed to:
- Extract cookies from Chromium-based browsers (e.g., Chrome, Edge, Brave, Yandex, Opera) and Firefox.
- Steal cryptocurrency wallets from browser extensions.
- Exfiltrate 2FA session tokens from popular authenticator apps like Google, Microsoft, and LastPass.
- Capture password data from tools like KeePass, LastPass, and Bitwarden.
- Access emails from clients like Thunderbird.
- Extract sensitive information from 280 browser extensions and 80 locally installed applications, including cryptocurrency wallets, email clients, and password managers.