Recent cybersecurity investigations have uncovered a critical exploitation of an undocumented Google OAuth endpoint, dubbed “MultiLogin”. This exploit is being used by various information-stealing malware families to regenerate expired Google authentication cookies, thereby facilitating unauthorized account access.
The Exploit Details:
- Endpoint Abuse: Malware families are exploiting the “MultiLogin” Google OAuth endpoint, originally intended for synchronizing accounts across Google services.
- Cookie Regeneration: This exploit allows threat actors to regenerate expired Google service cookies, maintaining persistent access to compromised accounts.
- Password Reset Limitation: Once a user resets their Google password, the authentication cookie can only be regenerated once. Without a reset, it can be regenerated multiple times.
Malware Families Involved:
- Early Adopters: Lumma and Rhadamanthys stealers were among the first to adopt this exploit in November 2023.
- Following Suit: Other malware families like Stealc, Medusa, RisePro, and Whitesnake have since incorporated this exploit.
- Mitigation Evasion: Lumma updated the exploit to use SOCKS proxies and encrypted communication to evade Google’s abuse detection measures.
Research and Discovery:
- CloudSEK Analysis: Researchers reverse-engineered the exploit, demonstrating its ability to regenerate expired Google authentication cookies.
- PRISMA’s Discovery: The exploit was initially revealed by a threat actor named PRISMA, who posted about it on Telegram.
Implications:
- Widespread Account Hijacking: The exploit presents a significant threat to Google account security, allowing for unauthorized and persistent access.
- Google’s Response: There has been no official response or confirmation from Google regarding the abuse of the MultiLogin endpoint or its mitigation efforts.
Recommendations:
- For Users: Regularly change Google account passwords and monitor accounts for unusual activities.
- For Organizations: Implement advanced threat detection systems to identify signs of cookie theft and exploitation.
The exploitation of the Google OAuth “MultiLogin” endpoint by multiple malware families represents a significant escalation in account hijacking tactics. The ability to revive expired authentication cookies poses a severe threat to user privacy and account security. Continuous vigilance and proactive cybersecurity measures are essential to combat this evolving threat.
