Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.
Developers of infostealer malware - mainly targeting Windows, it seems - have steadily implemented the exploit.
The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.
The exploit revolves around stealing victims' session tokens.
That is to say, malware first infects a person's PC - typically via a malicious spam or a dodgy download, etc - and then scours the machine for, among other things, web browser session tokens that can be used to log into accounts.
Session cookies ideally expire frequently, something that can limit their usefulness in account takeover attacks.
Those tokens are then exfiltrated to the malware's operators to hijack those accounts.
It turns out that these tokens can still be used to login even if the user realizes they've been compromised and change their Google password.
It appears users should log out, and thus invalidate their session tokens, to prevent exploitation.
MultiLogin is responsible for synchronizing Google accounts across different services.
It accepts a vector of account IDs and auth-login tokens to manage simultaneous sessions or switch between user profiles.
Reverse engineering the infostealer malware revealed that the account IDs and auth-login tokens from logged-in Google accounts are taken from the token service table of WebData in Chrome.
This table contains two columns crucial to the exploit's functionality: service and encrypted token.
The stolen token:GAIA ID pairs can then be used together with MultiLogin to continually regenerate Google service cookies even after passwords have been reset, and those can be used to log in.
In Lumma's case, each token:GAIA ID pair is encrypted by the malware, masking the finer details of the mechanism.
In a more recent update Lumma introduced SOCKS proxies to bypass Google's IP-based restrictions on token regeneration.
The malware's developers now expose some details of the requests and responses, potentially undoing some of their earlier efforts to conceal the functionality's inner workings.
The encryption of the traffic between the malware's C2 and MultiLogin also lessens the chances of standard security measures detecting the malicious activity, Karthick said, since encrypted traffic is more likely to be overlooked.
The Register approached Google for information about its plans to address the threat and had not received a response at the time of publication.
As we said, changing your password and logging out, and back in again looks like it will prevent tokens from being revived.
This Cyber News was published on go.theregister.com. Publication date: Tue, 02 Jan 2024 20:13:04 +0000