Google password resets not enough to stop these info-stealing malware strains

Now every miscreant is jumping on Big G's OAuth account security hole

Updated Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary.

Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.

They're called info stealers because once they're running on some poor sap's computer, they go to work finding sensitive information – such as remote desktop credentials, website cookies, and cryptowallets - on the local host and leaking them to remote servers run by miscreants.

Eggheads at CloudSEK say they found the root of the Google account exploit to be in the undocumented Google OAuth endpoint "MultiLogin."

The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC – typically via a malicious spam or a dodgy download, etc – and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

Those session tokens are then exfiltrated to the malware's operators to enter and hijack those accounts. It turns out that these tokens can still be used to login even if the user realizes they've been compromised and change their Google password.

Here's an important part: It appears users who've had their cookies stolen should log out entirely, and thus invalidate their session tokens, to prevent exploitation.

MultiLogin is responsible for synchronizing Google accounts across different services. It accepts a vector of account IDs and auth-login tokens to manage simultaneous sessions or switch between user profiles.

Reverse engineering the info-stealer malware revealed that the account IDs and auth-login tokens from logged-in Google accounts are taken from the token_service table of WebData in Chrome

This table contains two columns crucial to the exploit's functionality: service (contains a GAIA ID) and encrypted_token. The latter is decrypted using a key stored in Chrome's Local State file, which resides in the UserData directory.

The stolen token:GAIA ID pairs can then be used together with MultiLogin to continually regenerate Google service cookies even after passwords have been reset, and those can be used to log in.

Pavan Karthick M, threat intelligence researcher at CloudSEK, reckons the discovery provides evidence of cybercriminals' high degree of sophistication. In Lumma's case, each token:GAIA ID pair is encrypted by the malware, masking the finer details of the mechanism.

In a more recent update, however, Lumma introduced SOCKS proxies to bypass Google's IP-based restrictions on token regeneration. In doing so, the malware's developers now expose some details of the requests and responses, potentially undoing some of their earlier efforts to conceal the functionality's inner workings.

The encryption of the traffic between the malware's C2 and MultiLogin also lessens the chances of standard security measures detecting the malicious activity, Karthick said, since encrypted traffic is more likely to be overlooked.

"The tactical decision to encrypt the exploit's key component showcases a deliberate move towards more advanced, stealth-oriented cyber threats," he added. "It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves."

The Register approached Google for information about its plans to address the threat and had not received a response at the time of publication. As we said, changing your password and logging out entirely, and back in again looks like it will prevent tokens from being revived. We'll let you know if that's certainly the case. ®

Updated at 1009 UTC on January 3, 2024, to add

Google has confirmed that if you've had your session tokens stolen by local malware, don't just change your password: log out to invalidate those cookies, and/or revoke access to compromised devices.

"Google is aware of recent reports of a malware family stealing session tokens," a spokesperson told us. "Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.

"However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed.

"In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads."

Send us news

Suspected supply chain attack backdoors courtroom recording software

An open and shut case, but the perps remain at large – whoever they are

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars

LockBit dethroned as leading ransomware gang for first time post-takedown

Rivals ready to swoop in but drop in overall attacks illustrates LockBit’s influence

British Library's candid ransomware comms driven by 'emotional intelligence'

It quickly realized ‘dry’ progress updates weren’t cutting it

Three cuffed for 'helping North Koreans' secure remote IT jobs in America

Your local nail tech could be a secret agent for Kim’s cunning plan

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

Europol confirms incident following alleged auction of staff data

Intelligence-sharing platform remains down for maintenance

Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

Major intrusions by both China and Russia leave a lot to be answered for

Google takes shots at Microsoft for shoddy security record with enterprise apps

Also, feds who switch to Google Workspace for 3 years get an extra year for free

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters