← All stories
● Covered by 1 source Β· 1 reportHigh impact

Umbrij Malware Exploits OAuth to Access Gmail Through Google API

Aggregated by BrevFeed security Β· updated 4h ago
πŸ”– Save

The ToddyCat threat actor has released a new malware named Umbrij, which gains unauthorized access to Gmail accounts via the Google API using OAuth tokens. This technique could significantly impact corporate email security, as it leverages existing Gmail sessions for access.

Key points

Overview of Umbrij Malware

The ToddyCat group has been linked to Umbrij, a malware aimed at accessing Gmail accounts through the Google API. This malware targets corporate email communications using OAuth 2.0, allowing it to authenticate and gain access to users' email resources.

Technical Details of the Attack

Umbrij is designed to acquire an OAuth token to connect to a browser's management console in headless mode through a remote debugging port. The malware issues requests for an OAuth authorization code, which is then exchanged for an access token, enabling access to Gmail accounts. This method, known as Shadow Token via Remote Debug (STRD), emphasizes the risks posed by exploiting active sessions.

Browser Exploitation

The attack leverages vulnerabilities present in Chromium-based browsers, taking advantage of already logged-in Gmail sessions. By launching the browser in headless mode and using remote debugging, attackers can seize control and bypass standard authentication mechanisms.

Historical Context

ToddyCat has been active since at least 2020 and has previously targeted organizations in Europe and Asia. Notably, their past tools include TCSectorCopy, which was used for compromising Microsoft Outlook data. This new incident highlights a shift towards exploiting OAuth in corporate environments, raising significant security concerns.

Discovery and Impact

Kaspersky discovered Umbrij during a threat hunting operation, revealing its complex operation involving DLL side-loading using legitimate binaries. The three identified binaries exploited include components from Bitdefender, Microsoft Visual Studio, and Google Desktop. As organizations increasingly move to cloud services, the implications of such attacks could lead to widespread vulnerabilities in email security practices.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The ToddyCat threat actor has released a new malware named Umbrij, which gains unauthorized access to Gmail accounts via the Google API using OAuth tokens. This technique could significantly impact corporate email security, as it leverages existing Gmail sessions for access.