The newly discovered malware, Umbrij, has been linked to the cybercriminal group ToddyCat, with its primary goal being unauthorized access to Gmail accounts through Google API exploitation. This development was detailed in a recent report by Kaspersky, emphasizing the malware’s focus on breaching corporate email systems using OAuth tokens.
Technical Details of the Umbrij Malware
Umbrij’s operation involves acquiring OAuth tokens to infiltrate email communications hosted on Gmail. By exploiting the OAuth 2.0 protocol, the malware accesses email resources through a series of strategic API requests. This method has been termed ‘Shadow Token via Remote Debug (STRD)’ by Kaspersky.
The attack targets Chromium-based browsers, leveraging an active Gmail session to gain entry into Google account resources. The malware operates in headless mode via remote debugging, allowing it to control browser sessions without user detection. Three versions of Umbrij have surfaced, each equipped with functions for debugging, and selecting user accounts within the browser.
Malware Deployment and Execution
Umbrij was uncovered during a threat-hunting initiative, where it was found to be launched via a scheduled task mimicking legitimate software, such as Kaspersky’s own endpoint security tool. The malware uses DLL side-loading techniques, leveraging legitimate binaries like BDSubWiz.exe, VSTestVideoRecorder.exe, and GoogleDesktop.exe to execute the rogue DLL.
Once deployed, Umbrij performs preparatory actions, such as verifying debugging port availability and duplicating user tokens to maintain privileges. It collects user profile data from browser directories, ensuring it can operate under authenticated Gmail sessions. The malware then utilizes Puppeteer to interact with browser sessions and request OAuth codes necessary for Gmail access.
Impact and Prevention of Umbrij Attacks
Umbrij’s capability to log activities and extract OAuth authorization codes presents significant risks to corporate email security. The stolen OAuth tokens are used to access Gmail accounts via the API, compromising sensitive communications. To mitigate this threat, organizations are advised to review and revoke unnecessary application permissions in their Google account settings, particularly those related to Google Workspace migration applications.
Andrey Gunkin, a senior malware analyst at Kaspersky, highlights the sophistication of ToddyCat’s operations, noting the group’s relentless pursuit of compromising email communications. Their use of automation in tools like Umbrij underscores their advanced technical expertise and commitment to scaling attacks.
As the cyber threat landscape evolves, staying informed about emerging threats like Umbrij and implementing robust security measures remain crucial for protecting organizational assets.
