ToddyCat developed Umbrij to abuse Google APIs, remote debugging, and copied browser profiles to steal OAuth authorization codes from Gmail sessions while avoiding EPP and EDR detection. The tool relies on DLL sideloading, token impersonation, and headless Chromium automation to compromise corporate email access through legitimate Google Workspace applications. #ToddyCat #Umbrij #Gmail #GWMMO #GWSMO
Keypoints
- ToddyCat created a new tool called Umbrij to automate access to Gmail accounts through Google APIs.
- The attack uses copied Chromium browser profiles, headless mode, and a remote debugging port to capture OAuth authorization codes.
- Umbrij was designed to bypass security monitoring and remain undetected by EPP and EDR solutions.
- The tool was delivered through DLL sideloading using legitimate applications such as BDSubWiz.exe, VSTestVideoRecorder.exe, and GoogleDesktop.exe.
- Umbrij impersonates user tokens from explorer.exe to operate in the victim’s context and target authenticated sessions.
- The malware targets Google Workspace Migration for Microsoft Outlook and Google Workspace Sync for Microsoft Outlook authorization flows.
- Defenders are advised to monitor DLL loading anomalies, browser debug launches, and third-party Google account access permissions.
MITRE Techniques
- [T1134.003] Access Token Manipulation: Make and Impersonate Token – Umbrij duplicates the token of explorer.exe to run in the victim’s user context and inherit privileges (‘searches the system for the explorer.exe process and duplicates its token, retaining all of its privileges’).
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – The attackers load Umbrij by abusing legitimate binaries that insecurely load malicious DLLs (‘used the DLL sideloading technique to load the malicious tool’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – Umbrij uses JavaScript to click page elements and automate browser interactions (‘uses JavaScript to emulate a mouse click on the elements’).
- [T1106] Native API – The tool invokes native/browser and .NET functions to enumerate ports, connect to Chrome, and automate requests (‘uses the .NET GetActiveTcpConnections() function’ and ‘Puppeteer provides a high-level API’).
- [T1071.001] Application Layer Protocol: Web Protocols – Umbrij communicates with Google OAuth and Gmail over HTTPS to obtain authorization codes and access tokens (‘sends a GET request’ and accesses ‘accounts.google.com/o/oauth2/v2/auth/identifier’).
- [T1219] Remote Access Software – The tool controls a browser via the remote debugging protocol to interact with the victim session (‘connects to the browser’s management console in headless mode via a remote debugging port’).
- [T1053.005] Scheduled Task/Job: Scheduled Task – The malicious activity was launched through a scheduled task masquerading as a legitimate Kaspersky task (‘a scheduled task, KasperskyEndpointSecurityEDRAvp, was running on a user host’).
Indicators of Compromise
- [File hashes] Malicious Umbrij samples – 1AB58838E5790EFB22F2D35AB98C0B7D, A7D7D6C4C3F227F7117261C63B9E23A9, and 3 more hashes.
- [MD5 hashes] Legitimate sideloading executables – 9F5F2F0FB0A7F5AA9F16B9A7B6DAD89F (GoogleDesktop.exe), 28CB7B261F4EB97E8A4B3B0D32F8DEF1 (BDSubWiz.exe), and 1 more hash.
- [File names] Sideloaded or malicious components – GoogleDesktop.exe, BDSubWiz.exe, VSTestVideoRecorder.exe, log.dll, GoogleServices.DLL, Microsoft.VisualStudio.QualityTools.VideoRecorderEngine.dll, and BDS.exe.
- [File paths] DLL sideloading locations – C:UsersPublicBDS.exe with C:UsersPubliclog.dll, and c:windowsvssbds.exe with C:WindowsVsslog.dll.
- [Registry key] Chrome developer tools policy – HKLMSoftwarePoliciesGoogleChromeDeveloperToolsAvailability.
- [URL] Google OAuth and account-management URLs – https://accounts.google.com/o/oauth2/v2/auth/identifier and https://myaccount.google.com/connections.
- [Host/internal browser paths] Profile and backup locations – %LOCALAPPDATA%GoogleChromeUser DataLocal State, %LOCALAPPDATA%MicrosoftEdgeUser DataLocal State, and BackupFiles folders under Chrome and Edge.
- [Command-line arguments] Browser control and target selection – –remote-debugging-port, –headless, -browser both|msedge|chrome, and -sync.
Read more: https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/