Cybersecurity company CloudSEK has discovered a serious exploit affecting Google services that is used to grant threat actors access to Google accounts.
The exploit, identified in October 2023, allows continued access to Google services even after the victim resets their password.
The malware has “rapidly spread” to several malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc and White Snake.
Malware that hijacks Google accounts spreads quickly
CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving the threat actor continuous access to the victim’s account.
Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their data stealers and malware to gain access to Google accounts. At least six groups are actively exploiting the vulnerability with their own malware.
CloudSEK analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to sync Google accounts between services and provide users with a consistent user experience, is part of the key used by threat actors to enter Google accounts.
Reverse engineering has revealed that the malware targets Chrome’s WebData token_service table to extract tokens and account IDs from Chrome profiles.
Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to the victim’s account.
Reports by ringing computer reveals that one group, Lumma, has already updated the exploit to counter Google’s mitigations, indicating that Google is already aware of the exploit. However, from the looks of it, Lumma has outsmarted the company, for now.
TechRadar Pro has asked Google for more information about how users can protect themselves and whether the company will release any additional protection measures. Meanwhile, users can avoid many cybersecurity problems by simply being careful what they download: the victim “voluntarily” downloads (intentionally or not) a large amount of malware.
