Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset

Google Multilogin Exploit Overview:

• Threat Type: Malware / Data Theft
  • Nature of Threat: This malware represents a sophisticated form of cyber threat that primarily focuses on unauthorized data access and theft. Its capabilities extend beyond simple data extraction, venturing into persistent and unauthorized access to user accounts and sensitive information.
  • Impact on Data Integrity and Confidentiality: The malware targets the confidentiality and integrity of user data, posing significant risks to personal and organizational data security.
• Affected Service: Google MultiLogin OAuth endpoint
  • Service Description: The Google MultiLogin feature is an OAuth endpoint used for managing multiple Google accounts. It plays a crucial role in synchronizing user credentials and session tokens across various Google services.
  • Vulnerability Exploited: The malware exploits an undocumented aspect of this service, allowing it to intercept and misuse authentication tokens. This vulnerability is critical because it bypasses standard security measures like password changes.
• Primary Activity: Hijacking User Sessions, Maintaining Unauthorized Access Post Password Reset
  • Session Hijacking Mechanics: The malware is capable of hijacking active user sessions by exploiting the Google MultiLogin feature. It gains access to session tokens, which are then used to persistently access the user’s Google accounts.
  • Persistence Despite Security Measures: Remarkably, this access remains effective even after users reset their passwords. The conventional security practice of resetting passwords, typically a reliable method for revoking unauthorized access, is rendered ineffective against this type of attack.
  • Implications for Users: This ongoing access poses a serious security threat, as attackers can continuously monitor and extract sensitive information from a user’s Google services without detection.

Additional Considerations

• Wider Implications: The exploitation of such a feature in a widely-used service like Google’s highlights broader vulnerabilities in popular online services and the need for constant vigilance and updating of security protocols.
• User Awareness: It is crucial for users to be aware of this type of threat and to understand that traditional security practices, while still necessary, might not always be sufficient against more sophisticated forms of malware.

Google Multilogin Exploit Technical Details:

• Exploit Discovery: First revealed by PRISMA on October 20, 2023
• Affected Families: Lumma, Rhadamanthys, Stealc, Meduza, RisePro, WhiteSnake
• Targeted Data: Tokens and account IDs from Chrome’s token_service table
• Methodology: Utilizing GAIA ID and encrypted_token to regenerate Google authentication cookies

Threat Actor Profile:

• Name: PRISMA
• Discovered Technique: October 20, 2023
• Recent Increase in Exploit Activity: Recent reports and analyses have indicated a surge in the use of this exploit by various malicious actors, making it a pressing concern. 
• Method of Communication: Telegram channel
• Associated Malware Families: Various MaaS stealer families

Impact Assessment:

• Scope of Impact: Users of Google services via Chrome browser
• Data at Risk: Session persistence, account accessibility
• Google’s Response: Acknowledgement of the exploit, securing compromised accounts

Mitigation Strategies:

• User Actions: Enhanced Safe Browsing in Chrome, monitoring account activity for suspicious sessions
• Password Management: Advised to change passwords regularly
• Session Management: Logging out of affected browsers to invalidate stolen sessions