This new malware infiltrates Chrome and steals login cookies to hijack your account, they are particularly interested in expired cookies to steal your account.
|No te pierdas nada y ¡Síguenos en Google News!
Today we discuss the cookie restoration method of Lumma Infostealer, a new malware specializing in information theft that manages to access users’ accounts even after they change their passwords, exploiting an undocumented Google OAuth interface called “MultiLogin.” This vulnerability focuses on a specific category of browser cookies known as session cookies, which store authentication data, allowing users to instantly log in to websites and services without entering their credentials.
For now, the threat only affects the PC version that installs the malware capable of extracting and decoding login tokens stored in the local database of Google Chrome. CloudSEK and Hudson Rock have identified this new type of attack, and they’ve just released an update to their software to exploit this vulnerability.
The Lumma Infostealer cookie restoration method works by leveraging a key from the restoration files, allowing the reactivation of seemingly expired Google cookies. Initiating the process, the update sends a POST request to “https://accounts.google.com/oauth/multilogin” with specific headers, including a MultiBearer authorization token obtained from the restoration files.
This request triggers a response containing cookies in a JSON structure, which the script analyzes to extract relevant information. The extracted data is then formatted into Netscape cookie file format, making it easy to create stable and persistent Google cookies.
Expired cookies are the gateway
The concern lies in the ability of these cookies to restore expired Google cookies using a newly discovered key to query the Google API. This allows malicious actors to access accounts even after users have reset their passwords, posing a significant security risk.
The malware abuses URLs to retrieve tokens and account IDs from Chrome profiles associated with Google accounts. (GAIA ID) and encrypted tokens are crucial elements in the stolen data. The restoration of expired cookies through this technique can be carried out without users realizing they are being threatened, amplifying the severity of the problem.
Threat actors can use this exploit repeatedly to access accounts, even after users have changed their passwords. Our advice is not to click on strange ads through social networks and to take extra precautions by using a secure browser and avoiding websites that do not allow you to block cookies.
Note: This content has been translated with an artificial intelligence tool, so the translation may be slightly inaccurate. The original version written by our editor is the Spanish version.