🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoIn October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user's password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features.
CloudSEK's threat research team, leveraging HUMINT and technical analysis, identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin". This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.
October 20, 2023: The exploit is first revealed on a Telegram channel. (Figure 1)
November 14, 2023: Lumma announces the feature's integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature. (Appendix 1)
Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma (Appendix 6)
November 24, 2023: Lumma updates the exploit to counteract Google's fraud detection measures. (Appendix 7)
Stealc Dec 1 , 2023 - Implemented the google account token restore feature (Appendix 4)
Meduza Dec 11, 2023 - Implemented the google account token restore feature (Appendix 5)
RisePro Dec 12, 2023 - Implemented the google account token restore feature (Appendix 3)
WhiteSnake Dec 26, 2023 - Implemented the google account token restore feature (Appendix 2)
Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies
The Lumma Infostealer, incorporating the discovered exploit, was implemented on November 14. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update, indicating a concerning trend of rapid integration among various Infostealer groups.
In the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma (Dated 26th Nov) whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create Account_Chrome_Default.txt
Exfiltration of Tokens and Account IDs: By reversing the Malware variant, we understood they target Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords.
The MultiLogin endpoint, as revealed through Chromium's source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google's authentication cookies.
We tried finding endpoint’s mentions with a Google Dork, but we failed to find any. Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen below.
This endpoint operates by accepting a vector of account IDs and auth-login tokens—data essential for managing simultaneous sessions or switching between user profiles seamlessly. The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments
Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies.
Revealing the Endpoint: By reverse engineering the exploit executable provided by the original author, the specific endpoint involved in the exploit was uncovered. This undocumented MultiLogin endpoint is a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens.
In the realm of cyber threats, the tactics employed by threat actors are often as sophisticated as they are clandestine. The case of Lumma's exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophistication.
Lumma's approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google's authentication process. This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. Lumma's strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys. By doing so, they effectively 'blackbox' the exploitation process, shrouding the core mechanics of the exploit in secrecy. This blackboxing serves two purposes:
This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token:GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data.
The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats. It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves.
The Role of Human Intelligence: HUMINT played a pivotal role in accelerating the research process. Sources provided partial information about the exploit, leading to initial unsuccessful attempts (400 responses) from the endpoint. However, further HUMINT insights, combined with OSINT, revealed the exploit's schema.
Exploit Source and Origin: Analysis of the user-agent string found in the source code as seen in Figure7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a penetration test on Google Drive's services on Apple devices was a potential origin for the exploit. The exploit's imperfect testing led to revealing its source.
While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
The exploit involves malware using an undocumented Google OAuth endpoint, "MultiLogin," to regenerate expired Google Service cookies, allowing persistent access to compromised accounts. This method bypasses the need for a password but doesn't represent a direct vulnerability in the OAuth system itself.
Changing the password alone may not be sufficient. The exploit allows the regeneration of authentication cookies even after a password reset, but only once. To fully secure the account, users should log out of all sessions and revoke any suspicious connections.
Users can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their account's device management page.
While the specific exploit and exfiltration of specific token is relatively new, the concept of malware stealing passwords and cookies is not a novel cyber threat. The recent incidents have brought attention to the sophistication and stealth of modern cyber attacks.
Users are advised to regularly check for unfamiliar sessions, change passwords, and be vigilant while downloading unknown software, unknown attatchments.
This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
9
min read
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user's password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features.
CloudSEK's threat research team, leveraging HUMINT and technical analysis, identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin". This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.
October 20, 2023: The exploit is first revealed on a Telegram channel. (Figure 1)
November 14, 2023: Lumma announces the feature's integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature. (Appendix 1)
Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma (Appendix 6)
November 24, 2023: Lumma updates the exploit to counteract Google's fraud detection measures. (Appendix 7)
Stealc Dec 1 , 2023 - Implemented the google account token restore feature (Appendix 4)
Meduza Dec 11, 2023 - Implemented the google account token restore feature (Appendix 5)
RisePro Dec 12, 2023 - Implemented the google account token restore feature (Appendix 3)
WhiteSnake Dec 26, 2023 - Implemented the google account token restore feature (Appendix 2)
Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies
The Lumma Infostealer, incorporating the discovered exploit, was implemented on November 14. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update, indicating a concerning trend of rapid integration among various Infostealer groups.
In the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma (Dated 26th Nov) whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create Account_Chrome_Default.txt
Exfiltration of Tokens and Account IDs: By reversing the Malware variant, we understood they target Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords.
The MultiLogin endpoint, as revealed through Chromium's source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google's authentication cookies.
We tried finding endpoint’s mentions with a Google Dork, but we failed to find any. Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen below.
This endpoint operates by accepting a vector of account IDs and auth-login tokens—data essential for managing simultaneous sessions or switching between user profiles seamlessly. The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments
Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies.
Revealing the Endpoint: By reverse engineering the exploit executable provided by the original author, the specific endpoint involved in the exploit was uncovered. This undocumented MultiLogin endpoint is a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens.
In the realm of cyber threats, the tactics employed by threat actors are often as sophisticated as they are clandestine. The case of Lumma's exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophistication.
Lumma's approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google's authentication process. This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. Lumma's strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys. By doing so, they effectively 'blackbox' the exploitation process, shrouding the core mechanics of the exploit in secrecy. This blackboxing serves two purposes:
This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token:GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data.
The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats. It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves.
The Role of Human Intelligence: HUMINT played a pivotal role in accelerating the research process. Sources provided partial information about the exploit, leading to initial unsuccessful attempts (400 responses) from the endpoint. However, further HUMINT insights, combined with OSINT, revealed the exploit's schema.
Exploit Source and Origin: Analysis of the user-agent string found in the source code as seen in Figure7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a penetration test on Google Drive's services on Apple devices was a potential origin for the exploit. The exploit's imperfect testing led to revealing its source.
While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
The exploit involves malware using an undocumented Google OAuth endpoint, "MultiLogin," to regenerate expired Google Service cookies, allowing persistent access to compromised accounts. This method bypasses the need for a password but doesn't represent a direct vulnerability in the OAuth system itself.
Changing the password alone may not be sufficient. The exploit allows the regeneration of authentication cookies even after a password reset, but only once. To fully secure the account, users should log out of all sessions and revoke any suspicious connections.
Users can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their account's device management page.
While the specific exploit and exfiltration of specific token is relatively new, the concept of malware stealing passwords and cookies is not a novel cyber threat. The recent incidents have brought attention to the sophistication and stealth of modern cyber attacks.
Users are advised to regularly check for unfamiliar sessions, change passwords, and be vigilant while downloading unknown software, unknown attatchments.
This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report.