https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking

 
CloudSEK Logo
Home
Product
 
CloudSEK XVigil
External Digital Risk Protection
 
CloudSEK BeVigil Enterprise
Attack Surface Monitoring
 
CloudSEK SVigil
Software and Supply chain Risk Monitoring and Protection
 
CloudSEK BeVigil Community
Application Scanner
 
CloudSEK Exposure
Check if your organisation's data is in a data breach
Solutions
 
Cyber Threats Monitoring
 
Dark web monitoring
 
Brand Threats Monitoring
 
Infrastructure Monitoring
Resources

Resources

 
Blog
The latest industry news, updates and info.
 
Threat Intelligence
Get up and running on new threat reports and techniques.
 
Whitepapers & Reports
The content team broke their backs making these reports.
 
Customer stories
Learn how our customers are making big changes. You have got good
company!

Company

 
Integrations
We are more connected than you know. Explore all Integrations
 
Partners
100s of partners and one Shared goal; Secure future for all us.
 
About us
Learn about our story and our mission statement.
 
Life at CloudSEK
A sneak peek at the awesome life at CloudSEK.
 
Careers
We're hiring!
We are in love with undeniable talent. Join our team!
 
Legal
All the boring but necessary legalese that legal made us add.

Resources

Blog Posts

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2
Functionality for session hijacking
 
Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2
Functionality for session hijacking
Read Now
 
All Blog Posts

Whitepapers & Reports

Gold Rush on the Dark Web: Threat Actors Target X (Twitter) Gold
Accounts
 
Gold Rush on the Dark Web: Threat Actors Target X (Twitter) Gold
Accounts
Read the Report now!
 
All Reports
 
Log in
 
Schedule a Demo
 
Malware
9
mins read

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2
Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting
Undocumented OAuth2 Functionality to Regenerate Google Service
Cookies Regardless of IP or Password Reset.

 
Author image
Pavan Karthick M
December 29, 2023
[61ef7f445c]
Last Update posted on
January 10, 2024
Table of Contents

  * Text Link
  * Text Link
  * 

Co-Authors
 
Coauthors image
Anirudh Batra
 
Coauthors image
Sparsh Kulshrestha
 
Coauthors image
Abhishek Mathew

  * Category: Adversary Intelligence
  * Industry: All Industries
  * Motivation:Financial
  * Source*: C - Fairly Reliable
    1 - Confirmed by Independent sources

Executive Summary

In October 2023, PRISMA, a developer, uncovered a critical exploit
that allows the generation of persistent Google cookies through token
manipulation. This exploit enables continuous access to Google
services, even after a user's password reset. A client, a threat
actor, later reverse-engineered this script and incorporated it into
Lumma Infostealer (See Appendix8), protecting the methodology with
advanced blackboxing techniques. This marked the beginning of a
ripple effect, as the exploit rapidly spread among various malware
groups to keep on par with unique features. 



CloudSEK's threat research team, leveraging HUMINT and technical
analysis, identified the exploit's root at an undocumented Google
Oauth endpoint named "MultiLogin". This report delves into the
exploit's discovery, its evolution, and the broader implications for
cybersecurity.



Timeline of events:

October 20, 2023: The exploit is first revealed on a Telegram
channel. (Figure 1)

November 14, 2023: Lumma announces the feature's integration with an
advanced blackboxing approach. The feature started Booming because of
the Security Field posting about Lumma's unique feature. (Appendix 1)

Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar
blackboxing approach as Lumma (Appendix 6)

November 24, 2023: Lumma updates the exploit to counteract Google's
fraud detection measures. (Appendix 7)

Stealc Dec 1 , 2023 - Implemented the google account token restore
feature (Appendix 4)

Meduza Dec 11, 2023 - Implemented the google account token restore
feature (Appendix 5)

RisePro Dec 12, 2023  - Implemented the google account token restore
feature (Appendix 3)

WhiteSnake Dec 26, 2023 - Implemented the google account token
restore feature (Appendix 2)

Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker
shows exploiting the generated cookies



Analysis and Attribution

Information from the Post

  * On 20 October 2023 , CloudSEK's contextual AI digital risk
    platform XVigil  discovered that a threat actor named  'PRISMA'
    made a significant announcement on their Telegram channel,
    unveiling a potent 0-day solution addressing challenges with
    incoming sessions of Google accounts. This solution boasts two
    key features:

    Session Persistence: The session remains valid even when the
    account password is changed, providing a unique advantage in
    bypassing typical security measures.
    Cookie Generation: The capability to generate valid cookies in
    the event of a session disruption enhances the attacker's ability
    to maintain unauthorized access.

  * The developer expressed openness to cooperation, suggesting a
    potential willingness to collaborate or share insights on this
    newfound exploit.



[658e65e3ed]
Figure 1: TA post about his find in a telegram channel on October 20,
2023


The Lumma Infostealer, incorporating the discovered exploit, was
implemented on November 14. Subsequently, Rhadamanthys, Risepro,
Meduza and Stealc Stealer adopted this technique. On December 26,
White Snake also implemented the exploit. Currently, Eternity Stealer
is actively working on an update, indicating a concerning trend of
rapid integration among various Infostealer groups.

In the below screenshot you can see the New encrypted restore token
which is present in newer version of Lumma (Dated 26th Nov) whilst
the other side of the screenshot highlights the older version where
cookies from browsers are collated to create
Account_Chrome_Default.txt

[658e662942]
Figure 2 : Difference between Lumma malware logs, One dated 26th
November containing Encrypted cookie and  Ones from 12 Just the
Cookies extracted from browsers.





Technical Analysis

Scaling from Zero - How Malwares are exfiltrating required secrets

Exfiltration of Tokens and Account IDs: By reversing the Malware
variant, we understood they target Chrome's token_service table of
WebData to extract tokens and account IDs of chrome profiles logged
in. This table contains two crucial columns: service (GAIA ID) and
encrypted_token. The encrypted tokens are decrypted using an
encryption key stored in Chrome's Local State within the UserData
directory, similar to the encryption used for storing passwords.



[658e66b000]
Figure 3 The structure of the token_service table



[658e66b0eb]
Figure 4 Description of Stealer's feature of  Exfiltrating required
Details from victim's machine



Analyzing the Endpoint's Origin and Use

The MultiLogin endpoint, as revealed through Chromium's source code,
is an internal mechanism designed for synchronizing Google accounts
across services. It facilitates a consistent user experience by
ensuring that browser account states align with Google's
authentication cookies.



We tried finding endpoint's mentions with a Google Dork, but we
failed to find any. Later trying to find the same endpoint in GitHub
gave exact matches which revealed the Source Code of chromium as seen
below.

[658e66c332]
Figure 5 Source code in Google's chromium source code Revealing
Parameter format, Data Format and purpose



This endpoint operates by accepting a vector of account IDs and
auth-login tokens--data essential for managing simultaneous sessions
or switching between user profiles seamlessly. The insights from the
Chromium codebase confirm that while the MultiLogin feature plays a
vital role in user authentication, it also presents an exploitable
avenue if mishandled, as evidenced by recent malware developments




[658e66e19a]
Figure 6 UnitTests revealing the Expected Request Data



Our TI Sources have conversed with the Threat actor who discovered
the issue, which accelerated our discovery of the endpoint which was
responsible for regenerating the cookies.

Reverse Engineering the Exploit Code

Revealing the Endpoint: By reverse engineering the exploit executable
provided by the original author, the specific endpoint involved in
the exploit was uncovered. This undocumented MultiLogin endpoint is a
critical part of Google's OAuth system, accepting vectors of account
IDs and auth-login tokens.

[658e66fa32]
Figure 7 Reverse Engineered Exploit code which shows endpoint
exploited.


Intricate Tactics of Threat Actors

In the realm of cyber threats, the tactics employed by threat actors
are often as sophisticated as they are clandestine. The case of
Lumma's exploitation of the undocumented Google OAuth2 MultiLogin
endpoint provides a textbook example of such sophistication.

Lumma's approach hinges on a nuanced manipulation of the token:GAIA
ID pair, a critical component in Google's authentication process.
This pair, when used in conjunction with the MultiLogin endpoint,
enables the regeneration of Google service cookies. Lumma's strategic
innovation lies in the encryption of this token:GAIA ID pair with
their proprietary private keys. By doing so, they effectively
'blackbox' the exploitation process, shrouding the core mechanics of
the exploit in secrecy. This blackboxing serves two purposes:

  * Protection of the Exploit Technique: By applying encryption to
    the pivotal token:GAIA ID pair, Lumma effectively masks the core
    mechanism of their exploit. This layer of encryption acts as a
    barrier, hindering other malicious entities from duplicating
    their method. This strategic move not only preserves the
    uniqueness of their exploit in the competitive landscape of
    cybercrime but also provides them with an edge in the illicit
    market. However, Lumma's subsequent adaptation, which introduced
    the use of SOCKS proxies to circumvent Google's IP-based
    restrictions on cookie regeneration, inadvertently exposed some
    details of the requests and responses, potentially compromising
    the exploit's obscurity.

  * Evasion of Detection: Encrypted communication between the malware
    c2 and the MultiLogin endpoint is less likely to trigger alarms
    in network security systems. Standard security protocols are more
    prone to overlook encrypted traffic, mistaking it for legitimate
    encrypted data exchange.

[658e6727b2]
Figure 8 Successful Regeneration of Cookies after Resetting Password.


Sophistication in Exploitation Technique

This exploitation technique demonstrates a higher level of
sophistication and understanding of Google's internal authentication
mechanisms. By manipulating the token:GAIA ID pair, Lumma can
continuously regenerate cookies for Google services. Even more
alarming is the fact that this exploit remains effective even after
users have reset their passwords. This persistence in access allows
for prolonged and potentially unnoticed exploitation of user accounts
and data.



The tactical decision to encrypt the exploit's key component
showcases a deliberate move towards more advanced, stealth-oriented
cyber threats. It signifies a shift in the landscape of malware
development, where the emphasis is increasingly on the concealment
and protection of exploit methodologies, as much as on the
effectiveness of the exploits themselves.

HUMINT Analysis:

The Role of Human Intelligence: HUMINT played a pivotal role in
accelerating the research process. Sources provided partial
information about the exploit, leading to initial unsuccessful
attempts (400 responses) from the endpoint. However, further HUMINT
insights, combined with OSINT, revealed the exploit's schema.



[658e673b6a]
Figure 9 Original TA's conversation with our source


Exploit Source and Origin: Analysis of the user-agent string found
in the source code as seen in  Figure7 (com.google.Drive/6.0.230903
iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a
penetration test on Google Drive's services on Apple devices was a
potential origin for the exploit. The exploit's imperfect testing led
to revealing its source.



Interim Remediation Steps

While we await a comprehensive solution from Google, users can take
immediate action to safeguard against this exploit. If you suspect
your account may have been compromised, or as a general precaution,
sign out of all browser profiles to invalidate the current session
tokens. Following this, reset your password and sign back in to
generate new tokens. This is especially crucial for users whose
tokens and GAIA IDs might have been exfiltrated. Resetting your
password effectively disrupts unauthorized access by invalidating the
old tokens which the infostealers rely on, thus providing a crucial
barrier to the continuation of their exploit.

[65962eebf9]
Interim Remediation Steps



Frequently Asked Questions

What is the nature of the exploit involving Google accounts?

The exploit involves malware using an undocumented Google OAuth
endpoint, "MultiLogin," to regenerate expired Google Service cookies,
allowing persistent access to compromised accounts. This method
bypasses the need for a password but doesn't represent a direct
vulnerability in the OAuth system itself.

Does changing your password secure your account against this exploit?

Changing the password alone may not be sufficient. The exploit allows
the regeneration of authentication cookies even after a password
reset, but only once. To fully secure the account, users should log
out of all sessions and revoke any suspicious connections.

Can users revoke access if their account is compromised?

Users can invalidate stolen sessions by signing out of the affected
browser or remotely revoking sessions through their account's device
management page.

Is this a new form of cyber attack?

While the specific exploit and exfiltration of specific token is
relatively new, the concept of malware stealing passwords and cookies
is not a novel cyber threat. The recent incidents have brought
attention to the sophistication and stealth of modern cyber attacks.

What should users do to protect their accounts?

Users are advised to regularly check for unfamiliar sessions, change
passwords, and be vigilant while downloading unknown software,
unknown attatchments.



Conclusion

This analysis underscores the complexity and stealth of modern cyber
threats. It highlights the necessity for continuous monitoring of
both technical vulnerabilities and human intelligence sources to stay
ahead of emerging cyber threats. The collaboration of technical and
human intelligence is crucial in uncovering and understanding
sophisticated exploits like the one analyzed in this report.



References

  * *Intelligence source and information reliability - Wikipedia
  * ^#Traffic Light Protocol - Wikipedia
  * Other sources

Appendix

[658e675aa7]
Appendix 1: Lumma posting the feature on Nov 14, 2023



[658e675ac4]
Appendix 2: White snake stealer implemented the function to their
stealer on December 26 2023



[658e675a1e]
Appendix 3: RisePro's Implmentation of the same feature on December
12


[658e675acd]
Appendix 4: StealC's implementation of the feature on Dec 1



[658e675b95]
Appendix 5: Meduza's Feature from December 11, 2023




[658e675ac4]
Appendix 6: Rhadamanthys's feature to restore Google Account



[658e675a32]
Appendix 7: Counteraction by Lumma team due to Fraud detection from
Google.


[658e675a43]
Appendix 8: Prisma dev's Conversation with another Public Source
about the Theft and Reuse by Lumma




Author

[640f12b23d]
 
Pavan Karthick M

A detailed blog on Analysis of the Global Malware Trend: Exploiting
Undocumented OAuth2 Functionality to Regenerate Google Service
Cookies Regardless of IP or Password Reset.

Predict Cyber threats against your organization

Schedule a Demo
[6447b1e7fb][6447b1faf3]
Related Posts
Blog Image
Emerging Threats
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and
Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn
about cyber risks, real-time monitoring, and securing your digital
presence.

Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with
Advanced Encryption & Customization

On 23 October 2023, CloudSEK's Threat Intelligence Team detected a
Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly
developed ransomware written in Go, boasting advanced features to
optimize its malicious operations.

Blog Image
Ransomware
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in
May 2023. The Cyclops group has successfully developed ransomware
that can infect all three major platforms: Windows, Linux, macOS,
ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing
Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with
predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector
Protection for employees and customers.

Learn more about XVigil
 
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector
Protection for Software Supply Chain risks.

Learn more about SVigil
 
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone.
Search for any app to get an instant risk score.

Learn more about BeVigil
Join our newsletter
We'll send you a nice letter once per week. No spam.
 
Untitled UI logotextLogo
Product
 
XVigil
 
BeVigil
 
SVigil
New
 
Tutorials
 
Pricing
 
Releases
Company
 
About us
 
Careers
 
Press
 
News
 
Media kit
 
Contact
Resources
 
Blog
 
Newsletter
 
Events
 
Help centre
 
Tutorials
 
Support
Use Cases
 
Startups
 
Enterprise
 
Government
 
SaaS
 
Marketplaces
 
Ecommerce
Social
 
Twitter
 
LinkedIn
 
Facebook
 
GitHub
 
AngelList
 
Dribbble
(c) 2077 Untitled UI
PrivacyGDPRDisclosure of Vulnerability
 
 
 
 
[641776847dad6951ec09d3ad_CloudSEK]

A contextual AI company that predicts Cyber Threats.

[                    ][Search]
Facebook - Elements Webflow Library - BRIX TemplatesTwitter -
Elements Webflow Library - BRIX TemplatesInstagram - Elements Webflow
Library - BRIX TemplatesLinkedin - Elements Webflow Library - BRIX
TemplatesYouTube - Elements Webflow Library - BRIX Templates
Product

  * XVigil
  * SVigil
  * BeVigil Enterprise
  * BeVigil

Company

  * About Us
  * Customers
  * Partners
  * 
  * Reviews
  * Privacy
  * GDPR
  * Contact us

Careers

  * Life at CloudSEK
  * Openings
  * Security

Resources

  * Blogs
  * Threat Intelligence
  * Whitepapers and Reports
  * Knowledge Base
  * 

Copyright (c) 2023 | All Rights Reserved

Malware

9

min read

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2
Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting
Undocumented OAuth2 Functionality to Regenerate Google Service
Cookies Regardless of IP or Password Reset.

Authors
 
[640f12b23d]
Pavan Karthick M
Threat Intelligence Researcher at CloudSEK
Co-Authors
Anirudh Batra
Sparsh Kulshrestha
Abhishek Mathew
[658e6a06e7]

  * Category: Adversary Intelligence
  * Industry: All Industries
  * Motivation:Financial
  * Source*: C - Fairly Reliable
    1 - Confirmed by Independent sources

Executive Summary

In October 2023, PRISMA, a developer, uncovered a critical exploit
that allows the generation of persistent Google cookies through token
manipulation. This exploit enables continuous access to Google
services, even after a user's password reset. A client, a threat
actor, later reverse-engineered this script and incorporated it into
Lumma Infostealer (See Appendix8), protecting the methodology with
advanced blackboxing techniques. This marked the beginning of a
ripple effect, as the exploit rapidly spread among various malware
groups to keep on par with unique features. 



CloudSEK's threat research team, leveraging HUMINT and technical
analysis, identified the exploit's root at an undocumented Google
Oauth endpoint named "MultiLogin". This report delves into the
exploit's discovery, its evolution, and the broader implications for
cybersecurity.



Timeline of events:

October 20, 2023: The exploit is first revealed on a Telegram
channel. (Figure 1)

November 14, 2023: Lumma announces the feature's integration with an
advanced blackboxing approach. The feature started Booming because of
the Security Field posting about Lumma's unique feature. (Appendix 1)

Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar
blackboxing approach as Lumma (Appendix 6)

November 24, 2023: Lumma updates the exploit to counteract Google's
fraud detection measures. (Appendix 7)

Stealc Dec 1 , 2023 - Implemented the google account token restore
feature (Appendix 4)

Meduza Dec 11, 2023 - Implemented the google account token restore
feature (Appendix 5)

RisePro Dec 12, 2023  - Implemented the google account token restore
feature (Appendix 3)

WhiteSnake Dec 26, 2023 - Implemented the google account token
restore feature (Appendix 2)

Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker
shows exploiting the generated cookies



Analysis and Attribution

Information from the Post

  * On 20 October 2023 , CloudSEK's contextual AI digital risk
    platform XVigil  discovered that a threat actor named  'PRISMA'
    made a significant announcement on their Telegram channel,
    unveiling a potent 0-day solution addressing challenges with
    incoming sessions of Google accounts. This solution boasts two
    key features:

    Session Persistence: The session remains valid even when the
    account password is changed, providing a unique advantage in
    bypassing typical security measures.
    Cookie Generation: The capability to generate valid cookies in
    the event of a session disruption enhances the attacker's ability
    to maintain unauthorized access.

  * The developer expressed openness to cooperation, suggesting a
    potential willingness to collaborate or share insights on this
    newfound exploit.



[658e65e3ed]
Figure 1: TA post about his find in a telegram channel on October 20,
2023


The Lumma Infostealer, incorporating the discovered exploit, was
implemented on November 14. Subsequently, Rhadamanthys, Risepro,
Meduza and Stealc Stealer adopted this technique. On December 26,
White Snake also implemented the exploit. Currently, Eternity Stealer
is actively working on an update, indicating a concerning trend of
rapid integration among various Infostealer groups.

In the below screenshot you can see the New encrypted restore token
which is present in newer version of Lumma (Dated 26th Nov) whilst
the other side of the screenshot highlights the older version where
cookies from browsers are collated to create
Account_Chrome_Default.txt

[658e662942]
Figure 2 : Difference between Lumma malware logs, One dated 26th
November containing Encrypted cookie and  Ones from 12 Just the
Cookies extracted from browsers.





Technical Analysis

Scaling from Zero - How Malwares are exfiltrating required secrets

Exfiltration of Tokens and Account IDs: By reversing the Malware
variant, we understood they target Chrome's token_service table of
WebData to extract tokens and account IDs of chrome profiles logged
in. This table contains two crucial columns: service (GAIA ID) and
encrypted_token. The encrypted tokens are decrypted using an
encryption key stored in Chrome's Local State within the UserData
directory, similar to the encryption used for storing passwords.



[658e66b000]
Figure 3 The structure of the token_service table



[658e66b0eb]
Figure 4 Description of Stealer's feature of  Exfiltrating required
Details from victim's machine



Analyzing the Endpoint's Origin and Use

The MultiLogin endpoint, as revealed through Chromium's source code,
is an internal mechanism designed for synchronizing Google accounts
across services. It facilitates a consistent user experience by
ensuring that browser account states align with Google's
authentication cookies.



We tried finding endpoint's mentions with a Google Dork, but we
failed to find any. Later trying to find the same endpoint in GitHub
gave exact matches which revealed the Source Code of chromium as seen
below.

[658e66c332]
Figure 5 Source code in Google's chromium source code Revealing
Parameter format, Data Format and purpose



This endpoint operates by accepting a vector of account IDs and
auth-login tokens--data essential for managing simultaneous sessions
or switching between user profiles seamlessly. The insights from the
Chromium codebase confirm that while the MultiLogin feature plays a
vital role in user authentication, it also presents an exploitable
avenue if mishandled, as evidenced by recent malware developments




[658e66e19a]
Figure 6 UnitTests revealing the Expected Request Data



Our TI Sources have conversed with the Threat actor who discovered
the issue, which accelerated our discovery of the endpoint which was
responsible for regenerating the cookies.

Reverse Engineering the Exploit Code

Revealing the Endpoint: By reverse engineering the exploit executable
provided by the original author, the specific endpoint involved in
the exploit was uncovered. This undocumented MultiLogin endpoint is a
critical part of Google's OAuth system, accepting vectors of account
IDs and auth-login tokens.

[658e66fa32]
Figure 7 Reverse Engineered Exploit code which shows endpoint
exploited.


Intricate Tactics of Threat Actors

In the realm of cyber threats, the tactics employed by threat actors
are often as sophisticated as they are clandestine. The case of
Lumma's exploitation of the undocumented Google OAuth2 MultiLogin
endpoint provides a textbook example of such sophistication.

Lumma's approach hinges on a nuanced manipulation of the token:GAIA
ID pair, a critical component in Google's authentication process.
This pair, when used in conjunction with the MultiLogin endpoint,
enables the regeneration of Google service cookies. Lumma's strategic
innovation lies in the encryption of this token:GAIA ID pair with
their proprietary private keys. By doing so, they effectively
'blackbox' the exploitation process, shrouding the core mechanics of
the exploit in secrecy. This blackboxing serves two purposes:

  * Protection of the Exploit Technique: By applying encryption to
    the pivotal token:GAIA ID pair, Lumma effectively masks the core
    mechanism of their exploit. This layer of encryption acts as a
    barrier, hindering other malicious entities from duplicating
    their method. This strategic move not only preserves the
    uniqueness of their exploit in the competitive landscape of
    cybercrime but also provides them with an edge in the illicit
    market. However, Lumma's subsequent adaptation, which introduced
    the use of SOCKS proxies to circumvent Google's IP-based
    restrictions on cookie regeneration, inadvertently exposed some
    details of the requests and responses, potentially compromising
    the exploit's obscurity.

  * Evasion of Detection: Encrypted communication between the malware
    c2 and the MultiLogin endpoint is less likely to trigger alarms
    in network security systems. Standard security protocols are more
    prone to overlook encrypted traffic, mistaking it for legitimate
    encrypted data exchange.

[658e6727b2]
Figure 8 Successful Regeneration of Cookies after Resetting Password.


Sophistication in Exploitation Technique

This exploitation technique demonstrates a higher level of
sophistication and understanding of Google's internal authentication
mechanisms. By manipulating the token:GAIA ID pair, Lumma can
continuously regenerate cookies for Google services. Even more
alarming is the fact that this exploit remains effective even after
users have reset their passwords. This persistence in access allows
for prolonged and potentially unnoticed exploitation of user accounts
and data.



The tactical decision to encrypt the exploit's key component
showcases a deliberate move towards more advanced, stealth-oriented
cyber threats. It signifies a shift in the landscape of malware
development, where the emphasis is increasingly on the concealment
and protection of exploit methodologies, as much as on the
effectiveness of the exploits themselves.

HUMINT Analysis:

The Role of Human Intelligence: HUMINT played a pivotal role in
accelerating the research process. Sources provided partial
information about the exploit, leading to initial unsuccessful
attempts (400 responses) from the endpoint. However, further HUMINT
insights, combined with OSINT, revealed the exploit's schema.



[658e673b6a]
Figure 9 Original TA's conversation with our source


Exploit Source and Origin: Analysis of the user-agent string found
in the source code as seen in  Figure7 (com.google.Drive/6.0.230903
iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a
penetration test on Google Drive's services on Apple devices was a
potential origin for the exploit. The exploit's imperfect testing led
to revealing its source.



Interim Remediation Steps

While we await a comprehensive solution from Google, users can take
immediate action to safeguard against this exploit. If you suspect
your account may have been compromised, or as a general precaution,
sign out of all browser profiles to invalidate the current session
tokens. Following this, reset your password and sign back in to
generate new tokens. This is especially crucial for users whose
tokens and GAIA IDs might have been exfiltrated. Resetting your
password effectively disrupts unauthorized access by invalidating the
old tokens which the infostealers rely on, thus providing a crucial
barrier to the continuation of their exploit.

[65962eebf9]
Interim Remediation Steps



Frequently Asked Questions

What is the nature of the exploit involving Google accounts?

The exploit involves malware using an undocumented Google OAuth
endpoint, "MultiLogin," to regenerate expired Google Service cookies,
allowing persistent access to compromised accounts. This method
bypasses the need for a password but doesn't represent a direct
vulnerability in the OAuth system itself.

Does changing your password secure your account against this exploit?

Changing the password alone may not be sufficient. The exploit allows
the regeneration of authentication cookies even after a password
reset, but only once. To fully secure the account, users should log
out of all sessions and revoke any suspicious connections.

Can users revoke access if their account is compromised?

Users can invalidate stolen sessions by signing out of the affected
browser or remotely revoking sessions through their account's device
management page.

Is this a new form of cyber attack?

While the specific exploit and exfiltration of specific token is
relatively new, the concept of malware stealing passwords and cookies
is not a novel cyber threat. The recent incidents have brought
attention to the sophistication and stealth of modern cyber attacks.

What should users do to protect their accounts?

Users are advised to regularly check for unfamiliar sessions, change
passwords, and be vigilant while downloading unknown software,
unknown attatchments.



Conclusion

This analysis underscores the complexity and stealth of modern cyber
threats. It highlights the necessity for continuous monitoring of
both technical vulnerabilities and human intelligence sources to stay
ahead of emerging cyber threats. The collaboration of technical and
human intelligence is crucial in uncovering and understanding
sophisticated exploits like the one analyzed in this report.



References

  * *Intelligence source and information reliability - Wikipedia
  * ^#Traffic Light Protocol - Wikipedia
  * Other sources

Appendix

[658e675aa7]
Appendix 1: Lumma posting the feature on Nov 14, 2023



[658e675ac4]
Appendix 2: White snake stealer implemented the function to their
stealer on December 26 2023



[658e675a1e]
Appendix 3: RisePro's Implmentation of the same feature on December
12


[658e675acd]
Appendix 4: StealC's implementation of the feature on Dec 1



[658e675b95]
Appendix 5: Meduza's Feature from December 11, 2023




[658e675ac4]
Appendix 6: Rhadamanthys's feature to restore Google Account



[658e675a32]
Appendix 7: Counteraction by Lumma team due to Fraud detection from
Google.


[658e675a43]
Appendix 8: Prisma dev's Conversation with another Public Source
about the Theft and Reuse by Lumma