Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking.

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

  • Category: Adversary Intelligence
  • Industry: All Industries
  • Motivation:Financial
  • Source*C – Fairly Reliable
    1 – Confirmed by Independent sources

Executive Summary

In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user’s password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features. 

CloudSEK’s threat research team, leveraging HUMINT and technical analysis, identified the exploit’s root at an undocumented Google Oauth endpoint named “MultiLogin”. This report delves into the exploit’s discovery, its evolution, and the broader implications for cybersecurity.

Timeline of events:

October 20, 2023: The exploit is first revealed on a Telegram channel. (Figure 1)

November 14, 2023: Lumma announces the feature’s integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature. (Appendix 1)

Rhadamanthys Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma (Appendix 6)

November 24, 2023: Lumma updates the exploit to counteract Google’s fraud detection measures. (Appendix 7)

Stealc Dec 1 , 2023 – Implemented the google account token restore feature (Appendix 4)

Meduza Dec 11, 2023 – Implemented the google account token restore feature (Appendix 5)

RisePro Dec 12, 2023  – Implemented the google account token restore feature (Appendix 3)

WhiteSnake Dec 26, 2023 – Implemented the google account token restore feature (Appendix 2)

Dec 27, 2023 – Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies

Analysis and Attribution

Information from the Post

  • On 20 October 2023 , CloudSEK’s contextual AI digital risk platform XVigil  discovered that a threat actor named  ‘PRISMA’ made a significant announcement on their Telegram channel, unveiling a potent 0-day solution addressing challenges with incoming sessions of Google accounts. This solution boasts two key features:

    Session Persistence: 
    The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
    Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.
  • The developer expressed openness to cooperation, suggesting a potential willingness to collaborate or share insights on this newfound exploit.

Figure 1: TA post about his find in a telegram channel on October 20, 2023

The Lumma Infostealer, incorporating the discovered exploit, was implemented on November 14. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update, indicating a concerning trend of rapid integration among various Infostealer groups.

In the below screenshot you can see the New encrypted restore token which is present in newer version of Lumma (Dated 26th Nov) whilst the other side of the screenshot highlights the older version where cookies from browsers are collated to create Account_Chrome_Default.txt

Figure 2 : Difference between Lumma malware logs, One dated 26th November containing Encrypted cookie and  Ones from 12 Just the Cookies extracted from browsers.

Technical Analysis

Scaling from Zero – How Malwares are exfiltrating required secrets

Exfiltration of Tokens and Account IDs: By reversing the Malware variant, we understood they target Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome’s Local State within the UserData directory, similar to the encryption used for storing passwords.

Figure 3 The structure of the token_service table

Figure 4 Description of Stealer’s feature of  Exfiltrating required Details from victim’s machine

Analyzing the Endpoint’s Origin and Use

The MultiLogin endpoint, as revealed through Chromium’s source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google’s authentication cookies.

We tried finding endpoint’s mentions with a Google Dork, but we failed to find any. Later trying to find the same endpoint in GitHub gave exact matches which revealed the Source Code of chromium as seen below.

Figure 5 Source code in Google’s chromium source code Revealing Parameter format, Data Format and purpose


This endpoint operates by accepting a vector of account IDs and auth-login tokens—data essential for managing simultaneous sessions or switching between user profiles seamlessly. The insights from the Chromium codebase confirm that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments

Figure 6 UnitTests revealing the Expected Request Data

Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies.

Reverse Engineering the Exploit Code

Revealing the Endpoint: By reverse engineering the exploit executable provided by the original author, the specific endpoint involved in the exploit was uncovered. This undocumented MultiLogin endpoint is a critical part of Google’s OAuth system, accepting vectors of account IDs and auth-login tokens.

Figure 7 Reverse Engineered Exploit code which shows endpoint exploited.

Intricate Tactics of Threat Actors

In the realm of cyber threats, the tactics employed by threat actors are often as sophisticated as they are clandestine. The case of Lumma’s exploitation of the undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of such sophistication.

Lumma’s approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google’s authentication process. This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. Lumma’s strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys. By doing so, they effectively ‘blackbox’ the exploitation process, shrouding the core mechanics of the exploit in secrecy. This blackboxing serves two purposes:

  • Protection of the Exploit Technique: By applying encryption to the pivotal token:GAIA ID pair, Lumma effectively masks the core mechanism of their exploit. This layer of encryption acts as a barrier, hindering other malicious entities from duplicating their method. This strategic move not only preserves the uniqueness of their exploit in the competitive landscape of cybercrime but also provides them with an edge in the illicit market. However, Lumma’s subsequent adaptation, which introduced the use of SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposed some details of the requests and responses, potentially compromising the exploit’s obscurity.
  • Evasion of Detection: Encrypted communication between the malware c2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems. Standard security protocols are more prone to overlook encrypted traffic, mistaking it for legitimate encrypted data exchange.

Figure 8 Successful Regeneration of Cookies after Resetting Password.

Sophistication in Exploitation Technique

This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token:GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data.

The tactical decision to encrypt the exploit’s key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats. It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves.

HUMINT Analysis:

The Role of Human Intelligence: HUMINT played a pivotal role in accelerating the research process. Sources provided partial information about the exploit, leading to initial unsuccessful attempts (400 responses) from the endpoint. However, further HUMINT insights, combined with OSINT, revealed the exploit’s schema.

Figure 9 Original TA’s conversation with our source

Exploit Source and Origin: Analysis of the user-agent string found in the source code as seen in  Figure7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)) suggests that a penetration test on Google Drive’s services on Apple devices was a potential origin for the exploit. The exploit’s imperfect testing led to revealing its source.

Conclusion

This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report.

References

Appendix

Appendix 1: Lumma posting the feature on Nov 14, 2023

Appendix 2: White snake stealer implemented the function to their stealer on December 26 2023

Appendix 3: RisePro’s Implmentation of the same feature on December 12
Appendix 4: StealC’s implementation of the feature on Dec 1

Appendix 5: Meduza’s Feature from December 11, 2023

Appendix 6: Rhadamanthys’s feature to restore Google Account

Appendix 7: Counteraction by Lumma team due to Fraud detection from Google.
Appendix 8: Prisma dev’s Conversation with another Public Source about the Theft and Reuse by Lumma

Don’t Stop Here

More To Explore

Infostealers Webinar – Hudson Rock

Learn about Infostealers with actual real life breaches caused by Infostealer infections with Leonid Rozenberg, Hudson Rock’s Head of Partnerships & Integrations. To discover how

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise