AI Security AI安全 8d ago Updated 8d ago 更新于 8天前 46

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API 与ToddyCat相关的Umbrij恶意软件滥用OAuth通过Google API访问Gmail

Threat actor ToddyCat deployed new malware named Umbrij to steal Gmail data via OAuth token abuse. The attack utilizes a technique called Shadow Token via Remote Debug (STRD) to hijack active browser sessions. Umbrij leverages DLL side-loading of legitimate binaries to execute an obfuscated .NET payload. The malware extracts browser profiles, launches them in headless mode, and uses Puppeteer to automate OAuth consent. This method allows attackers to bypass traditional authentication prompts by APT组织ToddyCat推出新型恶意软件Umbrij,利用OAuth协议和Google API窃取Gmail企业邮箱数据。 攻击者采用名为“Shadow Token via Remote Debug (STRD)”的技术,通过无头模式浏览器劫持已登录的Google会话获取访问令牌。 Umbrij利用DLL侧加载技术,滥用Bitdefender、Visual Studio等合法二进制文件启动,并混淆.NET代码以逃避检测。 恶意软件通过复制用户配置文件、使用Puppeteer控制浏览器并模拟点击,自动完成OAuth授权流程以提取凭证。 该工具支持针对Chrome和Edge浏览器,可指定目标用户

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actor ToddyCat deployed new malware named Umbrij to steal Gmail data via OAuth token abuse.
  • The attack utilizes a technique called Shadow Token via Remote Debug (STRD) to hijack active browser sessions.
  • Umbrij leverages DLL side-loading of legitimate binaries to execute an obfuscated .NET payload.
  • The malware extracts browser profiles, launches them in headless mode, and uses Puppeteer to automate OAuth consent.
  • This method allows attackers to bypass traditional authentication prompts by exploiting existing logged-in states.

Why It Matters

This incident highlights a sophisticated evolution in credential theft where attackers move beyond simple password dumping to abusing OAuth protocols for persistent, high-privilege access. It demonstrates how legitimate browser features, such as remote debugging and headless modes, can be weaponized to automate social engineering and permission granting without user interaction. For security teams, this underscores the critical need to monitor for unusual browser automation activities and validate the integrity of startup processes.

Technical Details

  • Execution Method: Umbrij uses DLL side-loading, injecting malicious code into legitimate executables like BDSubWiz.exe, VSTestVideoRecorder.exe, or GoogleDesktop.exe to evade detection.
  • Session Hijacking: The malware copies user profile directories (including IndexedDB, Local Storage, and Login Data) to a backup folder, then launches the browser in headless mode using these profiles to retain active cookies and session tokens.
  • Automation: It employs Puppeteer via the Chrome DevTools Protocol to connect to the browser's remote debugging port, emulating mouse clicks to select accounts and grant OAuth permissions automatically.
  • Token Extraction: By redirecting the OAuth flow through a controlled URL, Umbrij captures the authorization code, which is then exchanged for access tokens to retrieve Gmail, Drive, and Contacts data.
  • Obfuscation: The core logic is written in .NET and heavily obfuscated using ConfuserEx to hinder static analysis and reverse engineering efforts.

Industry Insight

  • Organizations should implement strict controls over browser remote debugging ports and restrict the execution of unsigned or unexpected DLLs to prevent side-loading attacks.
  • Security monitoring must extend to detecting automated browser interactions and anomalous OAuth consent flows, particularly those involving migration tools or unfamiliar client IDs.
  • Users and enterprises should regularly audit authorized applications in their Google Workspace accounts and enable multi-factor authentication to mitigate the impact of stolen OAuth tokens.

TL;DR

  • APT组织ToddyCat推出新型恶意软件Umbrij,利用OAuth协议和Google API窃取Gmail企业邮箱数据。
  • 攻击者采用名为“Shadow Token via Remote Debug (STRD)”的技术,通过无头模式浏览器劫持已登录的Google会话获取访问令牌。
  • Umbrij利用DLL侧加载技术,滥用Bitdefender、Visual Studio等合法二进制文件启动,并混淆.NET代码以逃避检测。
  • 恶意软件通过复制用户配置文件、使用Puppeteer控制浏览器并模拟点击,自动完成OAuth授权流程以提取凭证。
  • 该工具支持针对Chrome和Edge浏览器,可指定目标用户、保存截图及记录详细操作日志以便后续数据外泄。

为什么值得看

本文揭示了高级持续性威胁(APT)组织如何利用合法的浏览器调试机制和OAuth授权流程进行隐蔽的数据窃取,展示了传统端点防护在面对无头浏览器自动化攻击时的局限性。对于安全从业者而言,理解这种结合DLL侧加载与API滥用的混合攻击手法,有助于优化对异常浏览器行为和未授权OAuth令牌生成的监控策略。

技术解析

  • 攻击向量与启动机制:Umbrij通过伪造计划任务触发数字签名的恶意文件,利用DLL侧加载(DLL Side-loading)技术,注入到BDSubWiz.exeVSTestVideoRecorder.exeGoogleDesktop.exe等合法进程中执行,有效规避部分静态检测。
  • 核心窃取技术 (STRD):攻击者将目标用户的浏览器配置文件复制到临时目录,以“无头模式”(Headless Mode)启动浏览器,并通过远程调试端口连接。利用Puppeteer库发送请求,伪装成合法的PST迁移工具,诱导浏览器发起OAuth授权请求。
  • 自动化授权流程:恶意软件使用JavaScript模拟鼠标点击事件,在浏览器界面中自动选择Google账户并授予包括Gmail、Drive、Contacts在内的完整权限,随后从重定向URL中提取OAuth授权码,最终交换为Access Token。
  • 数据收集与持久化:Umbrij会枚举本地用户配置文件,强制复制IndexedDBLogin Data等敏感文件,并记录详细操作日志。它支持命令行参数指定目标浏览器、用户名及是否生成PDF截图,增强了攻击的灵活性和隐蔽性。

行业启示

  • 强化OAuth应用审核与监控:企业应加强对第三方应用请求OAuth权限的审计,特别是针对看似合法但行为异常的客户端ID(如伪装成迁移工具),需建立异常令牌获取的实时告警机制。
  • 关注无头浏览器的安全风险:鉴于攻击者利用无头模式绕过图形界面交互检测,安全解决方案需具备识别非交互式浏览器进程异常行为的能力,例如监控未预期的远程调试端口连接或自动化脚本执行。
  • 防御DLL侧加载攻击:组织应实施严格的白名单策略和应用控制,限制非预期二进制文件的执行权限,并定期更新系统组件,以减少被利用进行DLL侧加载的合法软件数量。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全