Fast Facts
- ToddyCat’s Umbrij malware exploits Chrome/Edge headless mode and remote debugging ports to steal OAuth tokens from logged-in Gmail sessions, allowing covert access to corporate emails.
- The malware uses DLL side-loading with legitimate Windows binaries to run obfuscated scripts that automate extraction of browser profile data and OAuth authorization codes.
- Once compromised, attackers can seamlessly exfiltrate email communications and sensitive data, with potential for widespread credential theft and organizational disruption.
Threat, Techniques, and Targets
The threat actor ToddyCat has developed malware called Umbrij. This malware aims to secretly access email communications on Gmail. It targets corporate email accounts that are hosted on Gmail. The malware uses the Google API and OAuth 2.0 protocol to gain access. The attack starts by connecting to a browser in headless mode and exploiting active Gmail sessions. It then requests an OAuth authorization code, which is exchanged for an access token. This token allows the malware to access email data through the API. The attack can succeed on Chromium-based browsers like Chrome and Edge. It relies on an active Google login session and the browser’s remote debugging feature to work. Different versions of Umbrij include tools for debugging and searching for user accounts inside the browser.
Impact, Implications, and Guidance
The use of Umbrij enables attackers to secretly steal email data from targeted organizations. They can access sensitive information without alerting users. This poses serious security risks for organizations’ confidential information and communication integrity. Since the malware uses OAuth tokens, it can take advantage of legitimate login sessions. This makes detection difficult. To reduce risks, organizations should review OAuth app permissions. They should look for apps called “Google Workspace Migration for Microsoft Outlook” or “Google Workspace Sync for Microsoft Outlook.” If these apps are not used, their access should be revoked. For further steps, organizations should seek guidance from the relevant vendor or authority to properly secure their accounts and systems.
Continue Your Tech Journey
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
