Compromising Google Accounts Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking CloudSEK
pA detailed blog on Analysis of the Global Malware Trend Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password ResetppIn October 2023 PRISMA a developer uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation This exploit enables continuous access to Google services even after a users password reset A client a threat actor later reverseengineered this script and incorporated it into Lumma Infostealer See Appendix8 protecting the methodology with advanced blackboxing techniques This marked the beginning of a ripple effect as the exploit rapidly spread among various malware groups to keep on par with unique features ppppCloudSEKs threat research team leveraging HUMINT and technical analysis identified the exploits root at an undocumented Google Oauth endpoint named MultiLogin This report delves into the exploits discovery its evolution and the broader implications for cybersecurityppppOctober 20 2023 The exploit is first revealed on a Telegram channel Figure 1ppNovember 14 2023 Lumma announces the features integration with an advanced blackboxing approach The feature started Booming because of the Security Field posting about Lummas unique feature Appendix 1ppRhadamanthys Nov 17 Rhadamanthys announces the feature with similar blackboxing approach as Lumma Appendix 6ppNovember 24 2023 Lumma updates the exploit to counteract Googles fraud detection measures Appendix 7ppStealc Dec 1 2023 Implemented the google account token restore feature Appendix 4ppMeduza Dec 11 2023 Implemented the google account token restore feature Appendix 5ppRisePro Dec 12 2023 Implemented the google account token restore feature Appendix 3ppWhiteSnake Dec 26 2023 Implemented the google account token restore feature Appendix 2ppDec 27 2023 Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookiesppppppppThe Lumma Infostealer incorporating the discovered exploit was implemented on November 14 Subsequently Rhadamanthys Risepro Meduza and Stealc Stealer adopted this technique On December 26 White Snake also implemented the exploit Currently Eternity Stealer is actively working on an update indicating a concerning trend of rapid integration among various Infostealer groupsppIn the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma Dated 26th Nov whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create AccountChromeDefaulttxt ppppppExfiltration of Tokens and Account IDs By reversing the Malware variant we understood they target Chromes tokenservice table of WebData to extract tokens and account IDs of chrome profiles logged in This table contains two crucial columns service GAIA ID and encryptedtoken The encrypted tokens are decrypted using an encryption key stored in Chromes Local State within the UserData directory similar to the encryption used for storing passwordsppppppppThe MultiLogin endpoint as revealed through Chromiums source code is an internal mechanism designed for synchronizing Google accounts across services It facilitates a consistent user experience by ensuring that browser account states align with Googles authentication cookiesppppWe tried finding endpoints mentions with a Google Dork but we failed to find any Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen belowppppThis endpoint operates by accepting a vector of account IDs and authlogin tokensdata essential for managing simultaneous sessions or switching between user profiles seamlessly The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication it also presents an exploitable avenue if mishandled as evidenced by recent malware developmentsppppppppOur TI Sources have conversed with the Threat actor who discovered the issue which accelerated our discovery of the endpoint which was responsible for regenerating the cookiesppRevealing the Endpoint By reverse engineering the exploit executable provided by the original author the specific endpoint involved in the exploit was uncovered This undocumented MultiLogin endpoint is a critical part of Googles OAuth system accepting vectors of account IDs and authlogin tokensppppIn the realm of cyber threats the tactics employed by threat actors are often as sophisticated as they are clandestine The case of Lummas exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophisticationppLummas approach hinges on a nuanced manipulation of the tokenGAIA ID pair a critical component in Googles authentication process This pair when used in conjunction with the MultiLogin endpoint enables the regeneration of Google service cookies Lummas strategic innovation lies in the encryption of this tokenGAIA ID pair with their proprietary private keys By doing so they effectively blackbox the exploitation process shrouding the core mechanics of the exploit in secrecy This blackboxing serves two purposesppppThis exploitation technique demonstrates a higher level of sophistication and understanding of Googles internal authentication mechanisms By manipulating the tokenGAIA ID pair Lumma can continuously regenerate cookies for Google services Even more alarming is the fact that this exploit remains effective even after users have reset their passwords This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and datappppThe tactical decision to encrypt the exploits key component showcases a deliberate move towards more advanced stealthoriented cyber threats It signifies a shift in the landscape of malware development where the emphasis is increasingly on the concealment and protection of exploit methodologies as much as on the effectiveness of the exploits themselvesppThe Role of Human Intelligence HUMINT played a pivotal role in accelerating the research process Sources provided partial information about the exploit leading to initial unsuccessful attempts 400 responses from the endpoint However further HUMINT insights combined with OSINT revealed the exploits schemappppppExploit Source and Origin Analysis of the useragent string found in the source code as seen in Figure7 comgoogleDrive60230903 iSL34 iPhone1574 hwiPhone94 gzip suggests that a penetration test on Google Drives services on Apple devices was a potential origin for the exploit The exploits imperfect testing led to revealing its sourceppppWhile we await a comprehensive solution from Google users can take immediate action to safeguard against this exploit If you suspect your account may have been compromised or as a general precaution sign out of all browser profiles to invalidate the current session tokens Following this reset your password and sign back in to generate new tokens This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on thus providing a crucial barrier to the continuation of their exploitppppThe exploit involves malware using an undocumented Google OAuth endpoint MultiLogin to regenerate expired Google Service cookies allowing persistent access to compromised accounts This method bypasses the need for a password but doesnt represent a direct vulnerability in the OAuth system itselfppChanging the password alone may not be sufficient The exploit allows the regeneration of authentication cookies even after a password reset but only once To fully secure the account users should log out of all sessions and revoke any suspicious connectionsppUsers can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their accounts device management pageppWhile the specific exploit and exfiltration of specific token is relatively new the concept of malware stealing passwords and cookies is not a novel cyber threat The recent incidents have brought attention to the sophistication and stealth of modern cyber attacksppUsers are advised to regularly check for unfamiliar sessions change passwords and be vigilant while downloading unknown software unknown attatchmentsppppThis analysis underscores the complexity and stealth of modern cyber threats It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this reportppppppppppppppppppppppppA detailed blog on Analysis of the Global Malware Trend Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password ResetppDiscover how to navigate and protect against Dark Web threats Learn about cyber risks realtime monitoring and securing your digital presenceppOn 23 October 2023 CloudSEKs Threat Intelligence Team detected a RansomwareasaService RaaS group named QBit introducing a newly developed ransomware written in Go boasting advanced features to optimize its malicious operations ppCyclops now renamed as Knight also known as Cyclops 20 debuted in May 2023 The Cyclops group has successfully developed ransomware that can infect all three major platforms Windows Linux macOS ESXi and Android
ppTake action nowppCloudSEK Platform is a nocode platform that powers our products with predictive threat analytic capabilitiesppDigital Risk Protection platform which gives Initial Attack Vector Protection for employees and customersppSoftware and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risksppInstant Security Score for any Android Mobile App on your phone Search for any app to get an instant risk scoreppAt CloudSEK we combine the power of Cyber Intelligence Brand Monitoring Attack Surface Monitoring Infrastructure Monitoring and Supply Chain Intelligence to give context to our customers digital riskspp9ppmin readppA detailed blog on Analysis of the Global Malware Trend Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password ResetppIn October 2023 PRISMA a developer uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation This exploit enables continuous access to Google services even after a users password reset A client a threat actor later reverseengineered this script and incorporated it into Lumma Infostealer See Appendix8 protecting the methodology with advanced blackboxing techniques This marked the beginning of a ripple effect as the exploit rapidly spread among various malware groups to keep on par with unique features ppppCloudSEKs threat research team leveraging HUMINT and technical analysis identified the exploits root at an undocumented Google Oauth endpoint named MultiLogin This report delves into the exploits discovery its evolution and the broader implications for cybersecurityppppOctober 20 2023 The exploit is first revealed on a Telegram channel Figure 1ppNovember 14 2023 Lumma announces the features integration with an advanced blackboxing approach The feature started Booming because of the Security Field posting about Lummas unique feature Appendix 1ppRhadamanthys Nov 17 Rhadamanthys announces the feature with similar blackboxing approach as Lumma Appendix 6ppNovember 24 2023 Lumma updates the exploit to counteract Googles fraud detection measures Appendix 7ppStealc Dec 1 2023 Implemented the google account token restore feature Appendix 4ppMeduza Dec 11 2023 Implemented the google account token restore feature Appendix 5ppRisePro Dec 12 2023 Implemented the google account token restore feature Appendix 3ppWhiteSnake Dec 26 2023 Implemented the google account token restore feature Appendix 2ppDec 27 2023 Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookiesppppppppThe Lumma Infostealer incorporating the discovered exploit was implemented on November 14 Subsequently Rhadamanthys Risepro Meduza and Stealc Stealer adopted this technique On December 26 White Snake also implemented the exploit Currently Eternity Stealer is actively working on an update indicating a concerning trend of rapid integration among various Infostealer groupsppIn the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma Dated 26th Nov whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create AccountChromeDefaulttxt ppppppExfiltration of Tokens and Account IDs By reversing the Malware variant we understood they target Chromes tokenservice table of WebData to extract tokens and account IDs of chrome profiles logged in This table contains two crucial columns service GAIA ID and encryptedtoken The encrypted tokens are decrypted using an encryption key stored in Chromes Local State within the UserData directory similar to the encryption used for storing passwordsppppppppThe MultiLogin endpoint as revealed through Chromiums source code is an internal mechanism designed for synchronizing Google accounts across services It facilitates a consistent user experience by ensuring that browser account states align with Googles authentication cookiesppppWe tried finding endpoints mentions with a Google Dork but we failed to find any Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen belowppppThis endpoint operates by accepting a vector of account IDs and authlogin tokensdata essential for managing simultaneous sessions or switching between user profiles seamlessly The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication it also presents an exploitable avenue if mishandled as evidenced by recent malware developmentsppppppppOur TI Sources have conversed with the Threat actor who discovered the issue which accelerated our discovery of the endpoint which was responsible for regenerating the cookiesppRevealing the Endpoint By reverse engineering the exploit executable provided by the original author the specific endpoint involved in the exploit was uncovered This undocumented MultiLogin endpoint is a critical part of Googles OAuth system accepting vectors of account IDs and authlogin tokensppppIn the realm of cyber threats the tactics employed by threat actors are often as sophisticated as they are clandestine The case of Lummas exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophisticationppLummas approach hinges on a nuanced manipulation of the tokenGAIA ID pair a critical component in Googles authentication process This pair when used in conjunction with the MultiLogin endpoint enables the regeneration of Google service cookies Lummas strategic innovation lies in the encryption of this tokenGAIA ID pair with their proprietary private keys By doing so they effectively blackbox the exploitation process shrouding the core mechanics of the exploit in secrecy This blackboxing serves two purposesppppThis exploitation technique demonstrates a higher level of sophistication and understanding of Googles internal authentication mechanisms By manipulating the tokenGAIA ID pair Lumma can continuously regenerate cookies for Google services Even more alarming is the fact that this exploit remains effective even after users have reset their passwords This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and datappppThe tactical decision to encrypt the exploits key component showcases a deliberate move towards more advanced stealthoriented cyber threats It signifies a shift in the landscape of malware development where the emphasis is increasingly on the concealment and protection of exploit methodologies as much as on the effectiveness of the exploits themselvesppThe Role of Human Intelligence HUMINT played a pivotal role in accelerating the research process Sources provided partial information about the exploit leading to initial unsuccessful attempts 400 responses from the endpoint However further HUMINT insights combined with OSINT revealed the exploits schemappppppExploit Source and Origin Analysis of the useragent string found in the source code as seen in Figure7 comgoogleDrive60230903 iSL34 iPhone1574 hwiPhone94 gzip suggests that a penetration test on Google Drives services on Apple devices was a potential origin for the exploit The exploits imperfect testing led to revealing its sourceppppWhile we await a comprehensive solution from Google users can take immediate action to safeguard against this exploit If you suspect your account may have been compromised or as a general precaution sign out of all browser profiles to invalidate the current session tokens Following this reset your password and sign back in to generate new tokens This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on thus providing a crucial barrier to the continuation of their exploitppppThe exploit involves malware using an undocumented Google OAuth endpoint MultiLogin to regenerate expired Google Service cookies allowing persistent access to compromised accounts This method bypasses the need for a password but doesnt represent a direct vulnerability in the OAuth system itselfppChanging the password alone may not be sufficient The exploit allows the regeneration of authentication cookies even after a password reset but only once To fully secure the account users should log out of all sessions and revoke any suspicious connectionsppUsers can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their accounts device management pageppWhile the specific exploit and exfiltration of specific token is relatively new the concept of malware stealing passwords and cookies is not a novel cyber threat The recent incidents have brought attention to the sophistication and stealth of modern cyber attacksppUsers are advised to regularly check for unfamiliar sessions change passwords and be vigilant while downloading unknown software unknown attatchmentsppppThis analysis underscores the complexity and stealth of modern cyber threats It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this reportppppppppppppppppppppppp
ppTake action nowppCloudSEK Platform is a nocode platform that powers our products with predictive threat analytic capabilitiesppDigital Risk Protection platform which gives Initial Attack Vector Protection for employees and customersppSoftware and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risksppInstant Security Score for any Android Mobile App on your phone Search for any app to get an instant risk scoreppAt CloudSEK we combine the power of Cyber Intelligence Brand Monitoring Attack Surface Monitoring Infrastructure Monitoring and Supply Chain Intelligence to give context to our customers digital riskspp9ppmin readppA detailed blog on Analysis of the Global Malware Trend Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password ResetppIn October 2023 PRISMA a developer uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation This exploit enables continuous access to Google services even after a users password reset A client a threat actor later reverseengineered this script and incorporated it into Lumma Infostealer See Appendix8 protecting the methodology with advanced blackboxing techniques This marked the beginning of a ripple effect as the exploit rapidly spread among various malware groups to keep on par with unique features ppppCloudSEKs threat research team leveraging HUMINT and technical analysis identified the exploits root at an undocumented Google Oauth endpoint named MultiLogin This report delves into the exploits discovery its evolution and the broader implications for cybersecurityppppOctober 20 2023 The exploit is first revealed on a Telegram channel Figure 1ppNovember 14 2023 Lumma announces the features integration with an advanced blackboxing approach The feature started Booming because of the Security Field posting about Lummas unique feature Appendix 1ppRhadamanthys Nov 17 Rhadamanthys announces the feature with similar blackboxing approach as Lumma Appendix 6ppNovember 24 2023 Lumma updates the exploit to counteract Googles fraud detection measures Appendix 7ppStealc Dec 1 2023 Implemented the google account token restore feature Appendix 4ppMeduza Dec 11 2023 Implemented the google account token restore feature Appendix 5ppRisePro Dec 12 2023 Implemented the google account token restore feature Appendix 3ppWhiteSnake Dec 26 2023 Implemented the google account token restore feature Appendix 2ppDec 27 2023 Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookiesppppppppThe Lumma Infostealer incorporating the discovered exploit was implemented on November 14 Subsequently Rhadamanthys Risepro Meduza and Stealc Stealer adopted this technique On December 26 White Snake also implemented the exploit Currently Eternity Stealer is actively working on an update indicating a concerning trend of rapid integration among various Infostealer groupsppIn the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma Dated 26th Nov whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create AccountChromeDefaulttxt ppppppExfiltration of Tokens and Account IDs By reversing the Malware variant we understood they target Chromes tokenservice table of WebData to extract tokens and account IDs of chrome profiles logged in This table contains two crucial columns service GAIA ID and encryptedtoken The encrypted tokens are decrypted using an encryption key stored in Chromes Local State within the UserData directory similar to the encryption used for storing passwordsppppppppThe MultiLogin endpoint as revealed through Chromiums source code is an internal mechanism designed for synchronizing Google accounts across services It facilitates a consistent user experience by ensuring that browser account states align with Googles authentication cookiesppppWe tried finding endpoints mentions with a Google Dork but we failed to find any Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen belowppppThis endpoint operates by accepting a vector of account IDs and authlogin tokensdata essential for managing simultaneous sessions or switching between user profiles seamlessly The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication it also presents an exploitable avenue if mishandled as evidenced by recent malware developmentsppppppppOur TI Sources have conversed with the Threat actor who discovered the issue which accelerated our discovery of the endpoint which was responsible for regenerating the cookiesppRevealing the Endpoint By reverse engineering the exploit executable provided by the original author the specific endpoint involved in the exploit was uncovered This undocumented MultiLogin endpoint is a critical part of Googles OAuth system accepting vectors of account IDs and authlogin tokensppppIn the realm of cyber threats the tactics employed by threat actors are often as sophisticated as they are clandestine The case of Lummas exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophisticationppLummas approach hinges on a nuanced manipulation of the tokenGAIA ID pair a critical component in Googles authentication process This pair when used in conjunction with the MultiLogin endpoint enables the regeneration of Google service cookies Lummas strategic innovation lies in the encryption of this tokenGAIA ID pair with their proprietary private keys By doing so they effectively blackbox the exploitation process shrouding the core mechanics of the exploit in secrecy This blackboxing serves two purposesppppThis exploitation technique demonstrates a higher level of sophistication and understanding of Googles internal authentication mechanisms By manipulating the tokenGAIA ID pair Lumma can continuously regenerate cookies for Google services Even more alarming is the fact that this exploit remains effective even after users have reset their passwords This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and datappppThe tactical decision to encrypt the exploits key component showcases a deliberate move towards more advanced stealthoriented cyber threats It signifies a shift in the landscape of malware development where the emphasis is increasingly on the concealment and protection of exploit methodologies as much as on the effectiveness of the exploits themselvesppThe Role of Human Intelligence HUMINT played a pivotal role in accelerating the research process Sources provided partial information about the exploit leading to initial unsuccessful attempts 400 responses from the endpoint However further HUMINT insights combined with OSINT revealed the exploits schemappppppExploit Source and Origin Analysis of the useragent string found in the source code as seen in Figure7 comgoogleDrive60230903 iSL34 iPhone1574 hwiPhone94 gzip suggests that a penetration test on Google Drives services on Apple devices was a potential origin for the exploit The exploits imperfect testing led to revealing its sourceppppWhile we await a comprehensive solution from Google users can take immediate action to safeguard against this exploit If you suspect your account may have been compromised or as a general precaution sign out of all browser profiles to invalidate the current session tokens Following this reset your password and sign back in to generate new tokens This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on thus providing a crucial barrier to the continuation of their exploitppppThe exploit involves malware using an undocumented Google OAuth endpoint MultiLogin to regenerate expired Google Service cookies allowing persistent access to compromised accounts This method bypasses the need for a password but doesnt represent a direct vulnerability in the OAuth system itselfppChanging the password alone may not be sufficient The exploit allows the regeneration of authentication cookies even after a password reset but only once To fully secure the account users should log out of all sessions and revoke any suspicious connectionsppUsers can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their accounts device management pageppWhile the specific exploit and exfiltration of specific token is relatively new the concept of malware stealing passwords and cookies is not a novel cyber threat The recent incidents have brought attention to the sophistication and stealth of modern cyber attacksppUsers are advised to regularly check for unfamiliar sessions change passwords and be vigilant while downloading unknown software unknown attatchmentsppppThis analysis underscores the complexity and stealth of modern cyber threats It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this reportppppppppppppppppppppppp