ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
Threat actor ToddyCat deployed new malware named Umbrij to steal Gmail data via OAuth token abuse. The attack utilizes a technique called Shadow Token via Remote Debug (STRD) to hijack active browser sessions. Umbrij leverages DLL side-loading of legitimate binaries to execute an obfuscated .NET payload. The malware extracts browser profiles, launches them in headless mode, and uses Puppeteer to automate OAuth consent. This method allows attackers to bypass traditional authentication prompts by
Analysis
TL;DR
- Threat actor ToddyCat deployed new malware named Umbrij to steal Gmail data via OAuth token abuse.
- The attack utilizes a technique called Shadow Token via Remote Debug (STRD) to hijack active browser sessions.
- Umbrij leverages DLL side-loading of legitimate binaries to execute an obfuscated .NET payload.
- The malware extracts browser profiles, launches them in headless mode, and uses Puppeteer to automate OAuth consent.
- This method allows attackers to bypass traditional authentication prompts by exploiting existing logged-in states.
Why It Matters
This incident highlights a sophisticated evolution in credential theft where attackers move beyond simple password dumping to abusing OAuth protocols for persistent, high-privilege access. It demonstrates how legitimate browser features, such as remote debugging and headless modes, can be weaponized to automate social engineering and permission granting without user interaction. For security teams, this underscores the critical need to monitor for unusual browser automation activities and validate the integrity of startup processes.
Technical Details
- Execution Method: Umbrij uses DLL side-loading, injecting malicious code into legitimate executables like
BDSubWiz.exe,VSTestVideoRecorder.exe, orGoogleDesktop.exeto evade detection. - Session Hijacking: The malware copies user profile directories (including IndexedDB, Local Storage, and Login Data) to a backup folder, then launches the browser in headless mode using these profiles to retain active cookies and session tokens.
- Automation: It employs Puppeteer via the Chrome DevTools Protocol to connect to the browser's remote debugging port, emulating mouse clicks to select accounts and grant OAuth permissions automatically.
- Token Extraction: By redirecting the OAuth flow through a controlled URL, Umbrij captures the authorization code, which is then exchanged for access tokens to retrieve Gmail, Drive, and Contacts data.
- Obfuscation: The core logic is written in .NET and heavily obfuscated using ConfuserEx to hinder static analysis and reverse engineering efforts.
Industry Insight
- Organizations should implement strict controls over browser remote debugging ports and restrict the execution of unsigned or unexpected DLLs to prevent side-loading attacks.
- Security monitoring must extend to detecting automated browser interactions and anomalous OAuth consent flows, particularly those involving migration tools or unfamiliar client IDs.
- Users and enterprises should regularly audit authorized applications in their Google Workspace accounts and enable multi-factor authentication to mitigate the impact of stolen OAuth tokens.
Disclaimer: The above content is generated by AI and is for reference only.