Malware Abuses Google OAuth Endpoint to ‘revive’ Cookies, Hijack Accounts

Cyber Threat Summary:
Researchers are warning that multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named “MultiLogin” to restore expired authentication cookies to log into user’s accounts. This technique can be used for persistent access even if the account’s password has been reset.

The session cookies abused in this case typically have a limited lifespan, and cannot be used indefinitely, Using this technique however, threat actors have claimed to be able to restore expired Google authentication cookies. Since November of 2023, both the Lumma and Rhadamanthys info stealers have been claiming to restore these session cookies to be used in attacks. These cookies would allow the cybercriminals to gain unauthorized access to Google accounts even after the legitimate owners have logged out, reset their passwords, or their session has expired.

Security Officer Comments:
Researchers from CloudSEK outlined how the zero-day exploit works, and shared details about the scale of the flaw’s exploitation. According to the researchers, the exploit was first revealed by a threat actor named PRISMA on October 20, 2023, who posted on Telegram that they discovered a way to restore expired Google authentication cookies.

The flaw is the result of a legitimate function for synchronizing accounts across different Google services. "This request is used to set chrome accounts in browser in the Google authentication cookies for several google websites (e.g. youtube). This request is part of Gaia Auth API, and is triggered whenever accounts in cookies are not consistent with accounts in browser.”

The info stealers are able to abuse this endpoint to extract tokens and account IDs of Chrome profiles logged into a Google account. From there they can obtain two crucial pieces of data: the GAIA ID and encrypted_token. The encrypted tokens are decrypted using an encryption stored in Chrome's 'Local State' file. This same encryption key is also used to decrypt saved passwords in the browser. Using the stolen token:GAIA pairs with the MultiLogin endpoint, the threat actors can regenerate expired Google Service cookies and maintain persistent access on compromised accounts.

Suggested Correction(s):
While Lumma and Rhadamanthys were the first to begin using this technique, various other information stealers are now leveraging the zero-day. According to the researchers, at least six info-stealers currently claim the ability to regenerate Google cookies using this API endpoint.

Google has yet to confirm the abuse of the MultiLogin endpoint, but a subsequent release by Lumma updated the exploit to counteract Google's mitigations, which suggests the tech giant knows about the actively exploited zero-day flaw. Specifically, Lumma turned to using SOCKS proxies to evade Google's abuse detection measures and implemented encrypted communication between the malware and the MultiLogin endpoint.