ToddyCat’s Umbrij Malware Hijacks Gmail Access Using OAuth Tokens Instead of Passwords
by Athira Sasidharan
This page contains highlights I saved while reading ToddyCat’s Umbrij Malware Hijacks Gmail Access Using OAuth Tokens Instead of Passwords by Athira Sasidharan. These quotes were collected using Readwise.
Highlights
Modern attackers increasingly target identity rather than infrastructure.
ToddyCat now automates cloud account compromise through trusted authentication mechanisms, increasing both efficiency and stealth.
Traditional phishing campaigns usually rely on stealing usernames and passwords. However, Umbrij demonstrates that attackers increasingly prefer stealing authentication tokens instead.
Because OAuth tokens represent trusted authorization, attackers can often bypass multi-factor authentication after the token has been issued. Additionally, API-based access may generate fewer security alerts than suspicious login attempts, making detection more difficult.
Security teams should regularly review OAuth applications connected to corporate Google accounts and remove any that are unnecessary or unfamiliar.
The attackers abused legitimate signed executables, including components associated with Bitdefender software, Microsoft Visual Studio, and the discontinued Google Desktop application. Once executed, the malicious .NET DLL—protected with code obfuscation—takes control of the browser environment and begins harvesting the required OAuth authorization data.
Want more like this? See all articles or get a random quote.