WarmCookie Malware Hijacking Google Accounts

WarmCookie Malware Hijacking Google Accounts

Overview

WarmCookie is a sophisticated piece of malware that emerged in late 2023, primarily targeting Google accounts by exploiting vulnerabilities in Google's authentication process. Recent alerts from malware databases indicate an uptick in activity associated with this malware. WarmCookie allows attackers to hijack user sessions even after passwords are reset, presenting significant security challenges.

Technical Details

  • Malware Type: Info-stealer
  • Targets: Google accounts, including Gmail and associated corporate accounts
  • Initial Discovery: October 2023
  • Affected Services: Google OAuth endpoint (MultiLogin)

Mechanism of Action

WarmCookie malware operates by extracting tokens and account IDs from Chrome profiles. Specifically, it targets the token_service table in Chrome's WebData, using these credentials to regenerate session cookies. This process allows attackers to maintain continuous access to the compromised accounts, bypassing conventional security measures such as password resets and two-factor authentication (2FA).

Indicators of Compromise (IoCs)

File Paths:

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data

Registry Keys:

HKCU\Software\Google\Chrome\PreferenceMACs\Default\Extensions\lmhojphfgmoabccjaafidpjphflmjhil

IP Addresses (as of 7 June 2024):

185[.]49.70.98

87[.]251.67.92

80[.]66.88.146

185[.]49.69.41

File Hash (SHA256):

ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13

Exploited Vulnerabilities

  • Google OAuth MultiLogin Endpoint: Attackers use this endpoint to synchronize Google accounts across services. By extracting token-GAIA ID pairs, they regenerate Google cookies, providing persistent access to victim accounts​.

Affected Groups

The technique has been rapidly adopted by several infostealer malware groups, including:

  • Lumma
  • Rhadamanthys
  • Risepro
  • Meduza
  • Stealc
  • White Snake

Mitigation Strategies

  1. Enhanced Safe Browsing: Enable this feature in Chrome to protect against phishing and malware downloads.
  2. Regular Sign-Out: Ensure regular sign-out from all devices to invalidate stolen session tokens.
  3. Endpoint Protection: Use robust endpoint protection solutions to detect and remove malware.
  4. Network Monitoring: Implement monitoring to detect unusual traffic patterns indicative of data exfiltration.

Google's Response

Google has acknowledged the issue and taken steps to secure compromised accounts. They emphasize that users can invalidate stolen sessions by signing out from affected browsers or using the remote session termination feature available in their Google account settings.

Recommendations

  • Awareness and Training: Educate users about the risks of downloading untrusted software and the importance of maintaining up-to-date security practices.
  • Regular Updates: Keep browsers and security software updated to protect against the latest threats.
  • Incident Response: Develop a comprehensive incident response plan to quickly address any potential compromises.

Conclusion

WarmCookie represents a significant threat due to its ability to bypass traditional security measures. Continuous vigilance, user education, and robust security practices are essential to mitigate the risks posed by this malware.

For more detailed information and updates on WarmCookie malware, refer to sources like Malpedia, Malware Bazaar and Threat Fox