A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Pavan Karthick M writes:
Executive Summary
In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user’s password reset. A client, a threat actor, later reverse-engineered this script and incorporated it into Lumma Infostealer (See Appendix8), protecting the methodology with advanced blackboxing techniques. This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features.
CloudSEK’s threat research team, leveraging HUMINT and technical analysis, identified the exploit’s root at an undocumented Google Oauth endpoint named “MultiLogin”. This report delves into the exploit’s discovery, its evolution, and the broader implications for cybersecurity.
Access the full report at CloudSEK.