Threat Research

Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data

GenDigital
Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data

Glove Stealer is an information-stealing malware written in .NET that targets sensitive data from browsers, cryptocurrency wallets, password managers, and other locally installed applications. It distributes via phishing emails designed to mimic troubleshooting tools and effectively bypasses App-Bound encryption using the IElevator service. This campaign highlights the ease with which users can inadvertently compromise their own devices. Affected: browsers, cryptocurrency wallets, password managers, email clients, locally installed applications

Keypoints :

  • Glove Stealer is an information stealer malware developed in .NET.
  • It targets a variety of sensitive data, including cookies, autofill data, cryptocurrency wallets, 2FA authenticators, and email clients.
  • The malware employs a supporting module utilizing the IElevator service to bypass App-Bound encryption.
  • Distribution methods include phishing emails with HTML attachments that mislead users into running malicious scripts.
  • The payload can be downloaded from a Command and Control (C&C) server using specific URLs.
  • Data exfiltration occurs after the malware terminates browser processes to steal sensitive data.
  • The stolen data is packaged, encrypted, and sent back to the attackers via the C&C server.
  • Glove Stealer targets a wide range of locally installed applications and 280 browser extensions, extending its reach.

MITRE Techniques :

  • T1071.001: Application Layer Protocol – The malware communicates with its C&C server using HTTP over encrypted connections.
  • T1059.001: Command and Scripting Interpreter: Powershell – Uses a PowerShell command to execute malicious scripts on the victim’s machine.
  • T1070.004: Indicator Removal on Host – Terminates browser processes to avoid detection while exfiltrating data.
  • T1106: Native API – The malware uses the IElevator service as part of its technique to bypass encryption.
  • T1041: Exfiltration Over Command and Control Channel – The stolen data is sent back to the attackers through HTTP POST requests.

Indicator of Compromise :

  • [URL] https://master.volt-texs[.]online/api/c4slhp3l
  • [URL] https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOM_STRING?id=0
  • [URL] https://master.hdsjfkgsadoghdsiougds[.]space/mother/RANDOMSTRING?id=2&ids=MD5key
  • [Hash] 2bf6fab237ab58ae6cfe78f9a61ab6dcaf55f437cb7a77878e2e6aae3b208e80
  • [Hash] 56da496329d54587c31119d8878a7831a9814a92839aa6a9873ceeb91575b11a

Full Story: https://www.gendigital.com/blog/insights/research/glove-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint