Breaking through the Infostealer Exploit and the Enigma of Cookie Restoration.

In Collaboration with CloudSEK & Hudson Rock

In a Lumma Infostealer forum post dated November 14, developers announced a notable update, claiming a unique feature: the ability to revive expired Google cookies using a key from restore files. This revelation, highlighted by cybersecurity expert Alon Gal [ Hudson Rock ]on November 20, prompted a collaborative effort with @g0njxa, leading to the identification of the original developer, PRISM. PRISM’s groundbreaking discovery on October 20 has since set the stage for advancements in cookie restoration, with far-reaching implications for the cybersecurity landscape.

Original post describing the discovery by PRISM on October 20

Obtaining Threat Samples Through Humint: 😈

Employing a direct engagement strategy with various threat actors, our team successfully obtained the restoration script used in their operations. This unique approach allowed us to secure exclusive insights into the functionality of the script, shedding light on the methods employed by threat actors in manipulating and restoring Google cookies.

The stuff obtained from the TA😍

Findings by CloudSEK Team

How It Works:

The Lumma Infostealer’s cookie restoration method operates by leveraging a key from restore files, allowing the revival of seemingly expired Google cookies. Upon initiating the process, the update sends a POST request to “https://accounts.google.com/oauth/multilogin” with specific headers, including a MultiBearer authorization token obtained from the restore files.

This request triggers a response containing cookies in a JSON structure, which the script parses to extract relevant information. The extracted data is then formatted into Netscape cookie file format, facilitating the creation of stable and persistent Google cookies.

Essentially, the infusion of the key from restore files enables the reauthorization of cookies, ensuring their validity even after a password change. This technical maneuver, pioneered by PRISM, underscores a sophisticated approach to cookie restoration, presenting an intricate challenge for cybersecurity professionals.

Decompiled source code of the Token.exe file
We converted the working of the code into a curl request,this is how it looks .
When run we get the cookies as output like these .

How the threat actor gets the Token ?

The threat actor-operated stealer executes a sophisticated operation to extract and decrypt login tokens stored within Google Chrome’s local database. The focal point of this illicit activity is the ‘Web Data’ file housed at C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\<Profile or Default Folder>. By targeting this specific file, the stealer navigates through encrypted tokens, decrypting them using the OS key. The result? Unveiled login credentials and authentication keys. The extracted data is then meticulously recorded, associating each decrypted token with its respective service, and cataloged into a CSV file or TXT file and it is uploaded with the log .

Simulated the way the stealers extract token

Intended use:

The MultiLogin endpoint, unearthed within Chromium’s source code, serves as an internal mechanism dedicated to synchronizing Google accounts across services. Its primary function lies in maintaining a seamless user experience by ensuring synchronization between browser account states and Google’s authentication cookies.

Despite initial attempts using a Google Dork to uncover mentions of this endpoint proving unsuccessful, a subsequent search on GitHub yielded precise matches, revealing the source code from Chromium. The exposed source code elucidates critical details such as parameter format, data format, and the purpose of this endpoint.

The endpoint’s functionality is rooted in accepting a vector of account IDs and auth-login tokens. These data components are integral for managing concurrent sessions and enabling a smooth transition between user profiles. While the Multi-login feature plays a crucial role in user authentication, the disclosed insights also underscore its potential as an exploitable avenue, as demonstrated by recent developments in malware.

Information from the chromium source code

My sincere gratitude extends to the vigilant minds at CloudSEK Team for their invaluable contributions, the expertise of Hudson Rock in navigating the threat landscape, and the collaborative spirit of @g0njxa. It’s through these combined efforts that we bring you this in-depth analysis.

As we navigate the complex terrain of cybersecurity, this collaborative effort stands as a testament to the importance of unity in defending against digital threats. Stay informed, stay secure, and let’s continue to evolve in the face of an ever-changing cyber landscape.

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise