9
mins read

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Pavan Karthick M
December 29, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization

Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Anirudh Batra
Coauthors image
Sparsh Kulshrestha
Coauthors image
Abhishek Mathew
  • Category: Adversary Intelligence
  • Industry: All Industries
  • Motivation:Financial
  • Source*C - Fairly Reliable
    1 - Confirmed by Independent sources

Executive Summary

In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user's password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features. 

CloudSEK's threat research team, leveraging HUMINT and technical analysis, identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin". This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.

Timeline of events:

October 20, 2023: The exploit is first revealed on a Telegram channel. (Figure 1)

November 14, 2023: Lumma announces the feature's integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature. (Appendix 1)

Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma (Appendix 6)

November 24, 2023: Lumma updates the exploit to counteract Google's fraud detection measures. (Appendix 7)

Stealc Dec 1 , 2023 - Implemented the google account token restore feature (Appendix 4)

Meduza Dec 11, 2023 - Implemented the google account token restore feature (Appendix 5)

RisePro Dec 12, 2023  - Implemented the google account token restore feature (Appendix 3)

WhiteSnake Dec 26, 2023 - Implemented the google account token restore feature (Appendix 2)

Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies

Analysis and Attribution

Information from the Post

  • On 20 October 2023 , CloudSEK’s contextual AI digital risk platform XVigil  discovered that a threat actor named  'PRISMA' made a significant announcement on their Telegram channel, unveiling a potent 0-day solution addressing challenges with incoming sessions of Google accounts. This solution boasts two key features:

    Session Persistence:
    The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
    Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker's ability to maintain unauthorized access.
  • The developer expressed openness to cooperation, suggesting a potential willingness to collaborate or share insights on this newfound exploit.

Figure 1: TA post about his find in a telegram channel on October 20, 2023


The Lumma Infostealer, incorporating the discovered exploit, was implemented on November 14. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update, indicating a concerning trend of rapid integration among various Infostealer groups.

In the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma (Dated 26th Nov) whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create Account_Chrome_Default.txt

Figure 2 : Difference between Lumma malware logs, One dated 26th November containing Encrypted cookie and  Ones from 12 Just the Cookies extracted from browsers.

Technical Analysis

Scaling from Zero - How Malwares are exfiltrating required secrets

Exfiltration of Tokens and Account IDs: By reversing the Malware variant, we understood they target Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords.

Figure 3 The structure of the token_service table

Figure 4 Description of Stealer’s feature of  Exfiltrating required Details from victim’s machine

Analyzing the Endpoint's Origin and Use

The MultiLogin endpoint, as revealed through Chromium's source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google's authentication cookies.

We tried finding endpoint’s mentions with a Google Dork, but we failed to find any. Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen below.

Figure 5 Source code in Google’s chromium source code Revealing Parameter format, Data Format and purpose



This endpoint operates by accepting a vector of account IDs and auth-login tokens—data essential for managing simultaneous sessions or switching between user profiles seamlessly. The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments


Figure 6 UnitTests revealing the Expected Request Data

Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies.

Reverse Engineering the Exploit Code

Revealing the Endpoint: By reverse engineering the exploit executable provided by the original author, the specific endpoint involved in the exploit was uncovered. This undocumented MultiLogin endpoint is a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens.

Figure 7 Reverse Engineered Exploit code which shows endpoint exploited.


Intricate Tactics of Threat Actors

In the realm of cyber threats, the tactics employed by threat actors are often as sophisticated as they are clandestine. The case of Lumma's exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophistication.

Lumma's approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google's authentication process. This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. Lumma's strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys. By doing so, they effectively 'blackbox' the exploitation process, shrouding the core mechanics of the exploit in secrecy. This blackboxing serves two purposes:

  • Protection of the Exploit Technique: By applying encryption to the pivotal token:GAIA ID pair, Lumma effectively masks the core mechanism of their exploit. This layer of encryption acts as a barrier, hindering other malicious entities from duplicating their method. This strategic move not only preserves the uniqueness of their exploit in the competitive landscape of cybercrime but also provides them with an edge in the illicit market. However, Lumma's subsequent adaptation, which introduced the use of SOCKS proxies to circumvent Google's IP-based restrictions on cookie regeneration, inadvertently exposed some details of the requests and responses, potentially compromising the exploit's obscurity.
  • Evasion of Detection: Encrypted communication between the malware c2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems. Standard security protocols are more prone to overlook encrypted traffic, mistaking it for legitimate encrypted data exchange.
Figure 8 Successful Regeneration of Cookies after Resetting Password.


Sophistication in Exploitation Technique

This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token:GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data.

The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats. It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves.

HUMINT Analysis:

The Role of Human Intelligence: HUMINT played a pivotal role in accelerating the research process. Sources provided partial information about the exploit, leading to initial unsuccessful attempts (400 responses) from the endpoint. However, further HUMINT insights, combined with OSINT, revealed the exploit's schema.

Figure 9 Original TA’s conversation with our source


Exploit Source and Origin: Analysis of the user-agent string found in the source code as seen in  Figure7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a penetration test on Google Drive's services on Apple devices was a potential origin for the exploit. The exploit's imperfect testing led to revealing its source.

Interim Remediation Steps

While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.

Interim Remediation Steps

Frequently Asked Questions

What is the nature of the exploit involving Google accounts?

The exploit involves malware using an undocumented Google OAuth endpoint, "MultiLogin," to regenerate expired Google Service cookies, allowing persistent access to compromised accounts. This method bypasses the need for a password but doesn't represent a direct vulnerability in the OAuth system itself.

Does changing your password secure your account against this exploit?

Changing the password alone may not be sufficient. The exploit allows the regeneration of authentication cookies even after a password reset, but only once. To fully secure the account, users should log out of all sessions and revoke any suspicious connections.

Can users revoke access if their account is compromised?

Users can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their account's device management page.

Is this a new form of cyber attack?

While the specific exploit and exfiltration of specific token is relatively new, the concept of malware stealing passwords and cookies is not a novel cyber threat. The recent incidents have brought attention to the sophistication and stealth of modern cyber attacks.

What should users do to protect their accounts?

Users are advised to regularly check for unfamiliar sessions, change passwords, and be vigilant while downloading unknown software, unknown attatchments.

Conclusion

This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report.

References

Appendix

Appendix 1: Lumma posting the feature on Nov 14, 2023

Appendix 2: White snake stealer implemented the function to their stealer on December 26 2023

Appendix 3: RisePro’s Implmentation of the same feature on December 12


Appendix 4: StealC’s implementation of the feature on Dec 1

Appendix 5: Meduza’s Feature from December 11, 2023


Appendix 6: Rhadamanthys’s feature to restore Google Account

Appendix 7: Counteraction by Lumma team due to Fraud detection from Google.


Appendix 8: Prisma dev’s Conversation with another Public Source about the Theft and Reuse by Lumma


Author

Pavan Karthick M

Threat Intelligence Researcher at CloudSEK

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware

9

min read

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Authors
Pavan Karthick M
Threat Intelligence Researcher at CloudSEK
Co-Authors
  • Category: Adversary Intelligence
  • Industry: All Industries
  • Motivation:Financial
  • Source*C - Fairly Reliable
    1 - Confirmed by Independent sources

Executive Summary

In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user's password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features. 

CloudSEK's threat research team, leveraging HUMINT and technical analysis, identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin". This report delves into the exploit's discovery, its evolution, and the broader implications for cybersecurity.

Timeline of events:

October 20, 2023: The exploit is first revealed on a Telegram channel. (Figure 1)

November 14, 2023: Lumma announces the feature's integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature. (Appendix 1)

Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma (Appendix 6)

November 24, 2023: Lumma updates the exploit to counteract Google's fraud detection measures. (Appendix 7)

Stealc Dec 1 , 2023 - Implemented the google account token restore feature (Appendix 4)

Meduza Dec 11, 2023 - Implemented the google account token restore feature (Appendix 5)

RisePro Dec 12, 2023  - Implemented the google account token restore feature (Appendix 3)

WhiteSnake Dec 26, 2023 - Implemented the google account token restore feature (Appendix 2)

Dec 27, 2023 - Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies

Analysis and Attribution

Information from the Post

  • On 20 October 2023 , CloudSEK’s contextual AI digital risk platform XVigil  discovered that a threat actor named  'PRISMA' made a significant announcement on their Telegram channel, unveiling a potent 0-day solution addressing challenges with incoming sessions of Google accounts. This solution boasts two key features:

    Session Persistence:
    The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
    Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker's ability to maintain unauthorized access.
  • The developer expressed openness to cooperation, suggesting a potential willingness to collaborate or share insights on this newfound exploit.

Figure 1: TA post about his find in a telegram channel on October 20, 2023


The Lumma Infostealer, incorporating the discovered exploit, was implemented on November 14. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update, indicating a concerning trend of rapid integration among various Infostealer groups.

In the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma (Dated 26th Nov) whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create Account_Chrome_Default.txt

Figure 2 : Difference between Lumma malware logs, One dated 26th November containing Encrypted cookie and  Ones from 12 Just the Cookies extracted from browsers.

Technical Analysis

Scaling from Zero - How Malwares are exfiltrating required secrets

Exfiltration of Tokens and Account IDs: By reversing the Malware variant, we understood they target Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords.

Figure 3 The structure of the token_service table

Figure 4 Description of Stealer’s feature of  Exfiltrating required Details from victim’s machine

Analyzing the Endpoint's Origin and Use

The MultiLogin endpoint, as revealed through Chromium's source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google's authentication cookies.

We tried finding endpoint’s mentions with a Google Dork, but we failed to find any. Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen below.

Figure 5 Source code in Google’s chromium source code Revealing Parameter format, Data Format and purpose



This endpoint operates by accepting a vector of account IDs and auth-login tokens—data essential for managing simultaneous sessions or switching between user profiles seamlessly. The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments


Figure 6 UnitTests revealing the Expected Request Data

Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies.

Reverse Engineering the Exploit Code

Revealing the Endpoint: By reverse engineering the exploit executable provided by the original author, the specific endpoint involved in the exploit was uncovered. This undocumented MultiLogin endpoint is a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens.

Figure 7 Reverse Engineered Exploit code which shows endpoint exploited.


Intricate Tactics of Threat Actors

In the realm of cyber threats, the tactics employed by threat actors are often as sophisticated as they are clandestine. The case of Lumma's exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophistication.

Lumma's approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google's authentication process. This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. Lumma's strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys. By doing so, they effectively 'blackbox' the exploitation process, shrouding the core mechanics of the exploit in secrecy. This blackboxing serves two purposes:

  • Protection of the Exploit Technique: By applying encryption to the pivotal token:GAIA ID pair, Lumma effectively masks the core mechanism of their exploit. This layer of encryption acts as a barrier, hindering other malicious entities from duplicating their method. This strategic move not only preserves the uniqueness of their exploit in the competitive landscape of cybercrime but also provides them with an edge in the illicit market. However, Lumma's subsequent adaptation, which introduced the use of SOCKS proxies to circumvent Google's IP-based restrictions on cookie regeneration, inadvertently exposed some details of the requests and responses, potentially compromising the exploit's obscurity.
  • Evasion of Detection: Encrypted communication between the malware c2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems. Standard security protocols are more prone to overlook encrypted traffic, mistaking it for legitimate encrypted data exchange.
Figure 8 Successful Regeneration of Cookies after Resetting Password.


Sophistication in Exploitation Technique

This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token:GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data.

The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats. It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves.

HUMINT Analysis:

The Role of Human Intelligence: HUMINT played a pivotal role in accelerating the research process. Sources provided partial information about the exploit, leading to initial unsuccessful attempts (400 responses) from the endpoint. However, further HUMINT insights, combined with OSINT, revealed the exploit's schema.

Figure 9 Original TA’s conversation with our source


Exploit Source and Origin: Analysis of the user-agent string found in the source code as seen in  Figure7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a penetration test on Google Drive's services on Apple devices was a potential origin for the exploit. The exploit's imperfect testing led to revealing its source.

Interim Remediation Steps

While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.

Interim Remediation Steps

Frequently Asked Questions

What is the nature of the exploit involving Google accounts?

The exploit involves malware using an undocumented Google OAuth endpoint, "MultiLogin," to regenerate expired Google Service cookies, allowing persistent access to compromised accounts. This method bypasses the need for a password but doesn't represent a direct vulnerability in the OAuth system itself.

Does changing your password secure your account against this exploit?

Changing the password alone may not be sufficient. The exploit allows the regeneration of authentication cookies even after a password reset, but only once. To fully secure the account, users should log out of all sessions and revoke any suspicious connections.

Can users revoke access if their account is compromised?

Users can invalidate stolen sessions by signing out of the affected browser or remotely revoking sessions through their account's device management page.

Is this a new form of cyber attack?

While the specific exploit and exfiltration of specific token is relatively new, the concept of malware stealing passwords and cookies is not a novel cyber threat. The recent incidents have brought attention to the sophistication and stealth of modern cyber attacks.

What should users do to protect their accounts?

Users are advised to regularly check for unfamiliar sessions, change passwords, and be vigilant while downloading unknown software, unknown attatchments.

Conclusion

This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report.

References

Appendix

Appendix 1: Lumma posting the feature on Nov 14, 2023

Appendix 2: White snake stealer implemented the function to their stealer on December 26 2023

Appendix 3: RisePro’s Implmentation of the same feature on December 12


Appendix 4: StealC’s implementation of the feature on Dec 1

Appendix 5: Meduza’s Feature from December 11, 2023


Appendix 6: Rhadamanthys’s feature to restore Google Account

Appendix 7: Counteraction by Lumma team due to Fraud detection from Google.


Appendix 8: Prisma dev’s Conversation with another Public Source about the Theft and Reuse by Lumma