Better Security, Together

Cybersecurity teams have recently identified a new threat named ‘Glove Stealer’, which has demonstrated a remarkable ability to circumvent the App-Bound Encryption in Google Chrome that’s meant to protect sensitive user data. Although the malware might seem primitive due to its .NET construction, it utilizes the IElevator method to successfully target a range of applications, including those as sensitive as crypto wallets and password managers.

Following this initial discovery, it’s important to understand how Glove Stealer makes its way onto systems. The infiltration process begins with a phishing email that tricks users into activating a ClickFix tactic. Unknowingly, the user executes a hidden script, which triggers the download of the malware. Meanwhile, the attacker’s server cleverly disguises the Glove Stealer, delivering it as encoded data that mimics legitimate HTML content.

Building on this deceptive foundation, once the Glove Stealer becomes operational within the victim’s system, it swiftly moves to terminate browser processes. This action allows it to stay under the radar and kickstarts the data extraction phase. Methodically, it catalogs a range of stolen data including credentials and cookies, organizing them into neatly named text files, signifying they’re primed for exfiltration.

To fully achieve its purpose, Glove Stealer employs an additional tactic. It deploys a .NET module specifically designed to bypass Chrome’s encryption checks. This critical component for accessing Chrome’s encrypted data necessitates elevated privileges within the system, indicating that one of the malware’s key strategies includes obtaining local admin access during the attack, thereby heightening the threat level and emphasizing the importance of securing administrative credentials.

The Lazarus Group, a sophisticated North Korean APT, has been observed deploying RustyAttr, a newly discovered malware targeting macOS systems. This malware employs a novel TTP by abusing Extended File Attributes, a lesser-monitored metadata feature, to conceal malicious code and evade traditional detection mechanisms. This tactic highlights an evolution in macOS-targeting malware, underscoring the increasing sophistication of the group’s cyber-espionage operations.

The infection chain begins with RustyAttr being delivered via phishing emails or compromised websites, typically disguised as legitimate files. Upon execution, the malware manipulates extended file attributes to embed its payload, allowing it to bypass conventional security tools. Once active, RustyAttr communicates with its command-and-control (C2) servers, enabling attackers to perform advanced espionage activities such as data exfiltration, network reconnaissance, and further lateral movement within the compromised environment.

By leveraging these less-monitored areas of the operating system, Lazarus Group has enhanced its ability to evade detection and conduct prolonged campaigns against high-value targets. This advancement highlights the group’s continued focus on innovation to maintain operational effectiveness across diverse attack surfaces.