Introduction
Multiple information-stealing malware families are taking advantage of an undocumented Google OAuth endpoint, named “MultiLogin,” to revive expired authentication cookies and gain unauthorized access to users’ accounts. This exploitation allows threat actors to log into accounts even after the legitimate owners have taken measures such as logging out, resetting passwords, or when the session has expired.
Background
Session cookies, a specialized type of browser cookie containing authentication information, typically have a limited lifespan. However, in late November 2023, BleepingComputer reported on two information-stealers, Lumma and Rhadamanthys, claiming to restore expired Google authentication cookies stolen during cyberattacks.
Despite attempts to seek clarification from Google regarding these claims and inquiries on mitigation efforts, BleepingComputer received no response. A recent report by CloudSEK researchers provides further insights into the zero-day exploit, shedding light on the method’s intricacies and highlighting the extent of its exploitation.
Discovery of the Exploit
The exploit came to public attention on October 20, 2023, when a threat actor named PRISMA disclosed the discovery of a method to restore expired Google authentication cookies on Telegram. Upon reverse engineering the exploit, CloudSEK identified the use of an undocumented Google OAuth endpoint called “MultiLogin,” designed for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens.
Exploitation Malware
Information-stealing malware leveraging this endpoint extracts tokens and account IDs of Chrome profiles logged into a Google account. The stolen information, comprising GAIA ID (service) and encrypted_token, is then used to regenerate expired Google Service cookies through the MultiLogin endpoint.
The decryption of encrypted tokens is achieved using an encryption stored in Chrome’s ‘Local State’ file, which is the same encryption key used to decrypt saved passwords in the browser. Threat actors, armed with token:GAIA pairs, can regenerate expired authentication cookies, maintaining persistent access on compromised accounts.
Proliferation of Exploitation
Following the initial adoption by Lumma on November 14, other information-stealers quickly incorporated this exploit into their functionalities. Rhadamanthys followed suit on November 17, and subsequently, additional stealers like Stealc, Medusa, RisePro, and Whitesnake adopted the exploit on various dates in December.
Countermeasures and Ongoing Concerns
Lumma’s developers, in response to potential competition, applied blackboxing techniques such as encrypting the token:GAIA pair with private keys. Additionally, they implemented SOCKS proxies to evade Google’s abuse detection measures and enabled encrypted communication between the malware and the MultiLogin endpoint.
Despite Lumma’s efforts, Google has not confirmed the abuse of the MultiLogin endpoint, leaving the status of the exploitation and the effectiveness of mitigation measures uncertain at this time.
Source: Bleeping Computer