One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8613678 |
| Date de publication | 2024-11-18 19:36:50 (vue: 2024-11-18 20:08:30) |
| Titre | New Glove infostealer malware bypasses Chrome_s cookie encryption |
| Texte | ## Snapshot Researchers at Gen Security have identified Glove Stealer, an information-stealing malware distributed through phishing campaigns that exploit social engineering tactics like [ClickFix](https://security.microsoft.com/intel-explorer/articles/6d79c4e3) and FakeCaptcha. These tactics deceive users by presenting fake error messages and guiding them to execute malicious scripts in their terminal or Run prompt, leading to system infection. ## Description Glove Stealer is a .NET-based malware with minimal obfuscation, suggesting it is in early development. It uses a bypass for Chrome\'s App-Bound encryption via the IElevator service, a method publicly disclosed in late October 2024. The malware exfiltrates data from over 280 browser extensions and 80 applications, targeting sensitive information such as cryptocurrency wallet details, 2FA authenticator data, password manager credentials, and email client data. It also harvests cookies, autofill data, and browser profiles, storing them in structured text files labeled by browser names and profiles. Before exfiltration, the malware terminates processes related to major browsers like Chrome, Firefox, and Edge in an infinite loop. The data is compressed into a zip file, encrypted with 3DES, and sent to a command-and-control (C&C) server via a POST request. The encryption key is generated dynamically and transmitted separately to ensure the attackers retain access. Glove Stealer also uses a .NET payload named "zagent.exe" to bypass Chrome\'s App-Bound encryption, retrieving decryption keys from Chrome\'s local state file. This payload requires admin privileges to execute, as it must be placed within Chrome\'s directory. The phishing emails delivering Glove Stealer often include HTML attachments that prompt users to execute the malicious scripts. The scripts connect to the C&C server to download the payload, which then exfiltrates harvested data to predefined locations. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure |
| Notes | β β |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 280 2fa 365 365/security/defender 365/security/office 3des about access accessed accounts acquired admin advice: against age all also antivirus any app applications apps are article attachments attack attacker attackers authentication authenticator auto autofill based before block blocks bound browser browsers bullet bypass bypasses c&c campaigns can card check chrome classes click clickfix clicking client cloud code com/azure/active com/blog/news/innovation/glove com/deployedge/microsoft com/intel com/microsoft command common compressed configure connect content control cookie cookies copyright cover coverage credential credentials criterion cryptocurrency customers data deceive decryption defender delete delivered delivering deployment description details development devices different digital directory directory/authentication/concept directory/authentication/how directory/identity disclosed distributed distribution download due dynamically early edge email emails employees enable enabled encourage encrypted encryption endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce engineering enhanced ensure enterprise entire equivalent error even evolving example excluded exe executable execute execution exfiltrates exfiltration exploit explorer/articles/6d79c4e3 extensions fake fakecaptcha features fido file files filtering firefox first following from gen gendigital generated glove group guidance guiding harvested harvests have hello host hour html https://learn https://security https://www identified identifies identity ielevator impact inbound include including infection infections infinite information infostealer infostealers intelligence intrusions key keys labeled late leading learndoc learndoc#block learning leveraging like links list local locations loop machine mail major majority malicious malware managed manager many match meet messages method methods mfa microsoft minimal mitigation mitigations mode monitored more must named names net new newly not number obfuscated obfuscation ocid=magicti october off offer office often organizations other over overview part password passwordless passwords payload permission personal phishing phones placed points policies policy polymorphic possible post potentially predefined presenting prevalence prevent privileges processes product profiles prohibited prompt protection protection/howto protections pua publicly purge ransomware rapidly recheck recommendations recommends reduce reduction refer reference references related remind remove reproduction request require requires researchers reserved response retain retrieving rights rules run running safe scam scripts secured security security/defender security/safe security/zero sensitive sent separately server service settings should sight site sites smartscreen snapshot social spam specific spoofed state status steal stealer stealer: stealing stop stored storing strictly structured succeeded such suggesting support surface sweeping sync#sync syncing system tactics targeting techniques terminal terminates text theft them then thereof these threat threats through times tools transmitted trusted turn typed unknown unless unwanted use used users uses using variants vaults wallet web websites when where which windows within without workplace written your zagent zip βyesβ |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.