ToddyCat Uses Umbrij Malware To Abuse OAuth Tokens And Access Gmail Via Google API

ToddyCat Uses Umbrij Malware To Abuse OAuth Tokens And Access Gmail Via Google API

The threat actor known as ToddyCat has been linked to a newly identified malware strain named Umbrij, which is designed to stealthily access corporate Gmail communications by abusing Google API mechanisms. According to research published by Kaspersky, the attackers are focusing specifically on email compromise within enterprise environments by targeting authentication flows tied to OAuth 2.0. The malware is engineered to extract OAuth tokens and leverage them to access Gmail resources without directly requiring traditional login credentials, enabling covert surveillance of organizational email correspondence hosted on Google services.

Kaspersky explained that Umbrij operates by connecting to a browser’s management console in headless mode through a remote debugging port, allowing the malware to interact with an already active user session. This technique, internally tracked as Shadow Token via Remote Debug, enables the attacker to request an OAuth authorization code and exchange it for an access token, which is then used to interact with Gmail through Google APIs. The attack is particularly effective on Chromium based browsers such as Google Chrome and Microsoft Edge, where the malware exploits active login sessions to bypass normal authentication requirements. Researchers identified three variants of Umbrij, some of which include debugging utilities and account selection mechanisms that assist in identifying authenticated users within browser environments.

The delivery mechanism for Umbrij involves a staged infection chain on Windows systems. Kaspersky identified that the malware was deployed through scheduled tasks disguised as legitimate security software processes, including a task impersonating KasperskyEndpointSecurityEDRAvp. This task executes a digitally signed binary that performs DLL side loading to load the malicious payload. The attackers abused legitimate executables including BDSubWiz.exe from Bitdefender ConnectAgent, VSTestVideoRecorder.exe from Microsoft Visual Studio testing components, and GoogleDesktop.exe from the discontinued Google Desktop Search application. Once launched, the malicious DLL, written in .NET and obfuscated using ConfuserEx, is executed with parameters that define target browsers, extract user profiles, and capture screenshots of active sessions. The malware also gathers system information, identifies active browser profiles, and prepares the environment for credential extraction.

Once active on a compromised system, Umbrij performs a structured sequence of operations to hijack authenticated Gmail sessions. It verifies availability of a browser debugging port, retrieves user context by duplicating tokens from explorer.exe processes, and locates browser profile directories for Chrome and Edge. The malware then parses Local State files to identify authenticated Google accounts and creates backup directories under Chrome and Edge application data paths to store copied profile information. This includes IndexedDB, Local Storage, Network data, login credentials, preferences, and secure browsing data. If files are locked, a forced copy mechanism is used. The malware then launches browsers in headless mode using the duplicated user profile, allowing active cookies and sessions to be reused without reauthentication. Using Puppeteer, the malware connects to Chrome DevTools Protocol and navigates to Google OAuth endpoints, where it triggers authorization flows linked to Google Workspace migration tools. Through automated interaction, it selects active accounts, grants permissions to Gmail, Drive, Contacts, Calendar, and Tasks, and retrieves OAuth authorization codes, which are redirected to local endpoints and logged for exfiltration.

Kaspersky noted that Umbrij records all operational steps in log files, including captured authorization codes, which are later retrieved by the attackers to obtain OAuth access tokens. These tokens are then used to directly access Gmail accounts via Google APIs, enabling full compromise of corporate email communications without triggering standard authentication alerts. Security researchers recommend reviewing OAuth permissions granted to applications via Google account settings and revoking access for suspicious or unused integrations such as Google Workspace Migration for Microsoft Outlook or Google Workspace Sync for Microsoft Outlook. ToddyCat, an advanced persistent threat group active since at least 2020 across Europe and Asia, has previously demonstrated similar capabilities, including the use of custom tools like TCSectorCopy for extracting Microsoft Outlook data. Researchers warn that Umbrij reflects the group’s continued focus on automating access to enterprise email systems and improving the scale and efficiency of its cyber espionage operations.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment