Access Management , Cybercrime , Cybercrime as-a-service

Info-Stealing Malware Now Includes Google Session Hijacking

Google OAuth2 Vulnerability Being Actively Abused by Attackers, Researchers Warn
Info-Stealing Malware Now Includes Google Session Hijacking
Image: Shutterstock

Multiple malware-as-a-service info stealers now include the ability to manipulate authentication tokens to give users persistent access to a victim's Google account, even after a user has reset their passwords, researchers warn.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Since November, this capability has been built into the Lumma Stealer, which is information-stealing malware available as a service, cybersecurity firm CloudSEK reported on Friday.

The firm's researchers said the vulnerability is particularly concerning because it enables hackers to manipulate the OAuth 2.0 security protocol, which is widely used to allow access to Google-connected accounts via single sign-on (see: Experts' View: Avoid Social Networks' Single Sign-On).

Google did not immediately respond to a request for comment.

Lumma Stealer appears to have been the first malware-as-a-service offering to provide its users with the ability to exploit the "undocumented OAuth2 functionality" via "blackboxing," aka hiding from users what it's doing and how. "This strategic move not only preserves the uniqueness of their exploit in the competitive landscape of cybercrime but also provides them with an edge in the illicit market," CloudSEK said in its report, adding that the exploitation technique reveals a high "level of sophistication and understanding of Google's internal authentication mechanisms."

Despite Lumma Stealer's blackboxing approach, other malware distribution groups have also been exploiting the vulnerability.

"The exploit rapidly spread among various malware groups," including Rhadamanthys, RisePro, Meduza and Stealc Stealer, and Eternity Stealer recently said it is working to add the functionality, CloudSEK said.

The firm's research team said the vulnerability appears to have been discovered by an attacker who uses the handle PRISMA and who first revealed a zero-day exploit for the flaw in a late October post to a Telegram channel. As described by PRISMA, exploiting the vulnerability allows for "session persistence," including the ability to maintain a session even if a user changes their password, as well as the ability to generate valid authentication cookies even if a session is disrupted, so the attacker can "maintain unauthorized access," CloudSEK said.

Using the exploit to compromise a Google account "will allow threat actors to use Drive, email login," as well as other OAuth-connected services, meaning the exploit could have "a very severe impact" on affected users and organizations, Pavan Karthick M, a threat researcher for CloudSEK, told Information Security Media Group.

"If infected, their Google accounts can be abused to be part of a malicious infrastructure," he said, adding that threat actors can use the exploit to post malicious content online, abuse streaming services and access "anything connected to Google."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.