Identity, Malware, Threat Intelligence

Google OAuth endpoint exploited by various malware

BleepingComputer reports that expired authentication cookies are being revived for account access by numerous information-stealing malware strains by leveraging the newly discovered MultiLogin Google OAuth endpoint. MultiLogin, which was developed to facilitate the synchronization of accounts across various Google services, was exploited by infostealers to enable the collection of token and Chrome account IDs with GAIA ID and encrypted_token, according to a CloudSEK report. Such an exploit was first implemented by Lumma Stealer developers in November through blackboxing techniques before being emulated by Rhadamanthys. Infostealers StealC, Medusa, RisePro, and WhiteSnake have since added the exploit in the following month. While Google has yet to confirm exploitation of the MultiLogin endpoint, the Lumma Stealer already had the exploit updated to have encrypted communication with the endpoint, as well as use SOCKS proxies in a bid to bypass security defenses implemented by Google.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.