Armitage Archive

ToddyCat’s Umbrij Malware Hijacks Gmail Access Using OAuth Tokens Instead of Passwords

by Athira Sasidharan

Original article

This page contains highlights I saved while reading ToddyCat’s Umbrij Malware Hijacks Gmail Access Using OAuth Tokens Instead of Passwords by Athira Sasidharan. These quotes were collected using Readwise.

Highlights

Modern attackers increasingly target identity rather than infrastructure.

Permalink to this highlight


ToddyCat now automates cloud account compromise through trusted authentication mechanisms, increasing both efficiency and stealth.

Permalink to this highlight


Traditional phishing campaigns usually rely on stealing usernames and passwords. However, Umbrij demonstrates that attackers increasingly prefer stealing authentication tokens instead.

Because OAuth tokens represent trusted authorization, attackers can often bypass multi-factor authentication after the token has been issued. Additionally, API-based access may generate fewer security alerts than suspicious login attempts, making detection more difficult.

Permalink to this highlight


Security teams should regularly review OAuth applications connected to corporate Google accounts and remove any that are unnecessary or unfamiliar.

Permalink to this highlight


The attackers abused legitimate signed executables, including components associated with Bitdefender software, Microsoft Visual Studio, and the discontinued Google Desktop application. Once executed, the malicious .NET DLL—protected with code obfuscation—takes control of the browser environment and begins harvesting the required OAuth authorization data.

Permalink to this highlight


Want more like this? See all articles or get a random quote.