ToddyCat APT Leverages Umbrij Tool to Steal Cloud Email Credentials via OAuth Exploitation
The ToddyCat APT group has developed a new tool, Umbrij, to steal cloud email credentials by exploiting the OAuth 2.0 protocol through Google's API, employing a novel technique dubbed Shadow Token via Remote Debug (STRD).
The ToddyCat advanced persistent threat (APT) group has evolved its tactics, introducing a sophisticated new tool named Umbrij designed to pilfer cloud email credentials. This latest campaign bypasses traditional security measures by exploiting the OAuth 2.0 protocol, a standard for delegated authorization, specifically targeting Google's API. The group's innovative approach, termed Shadow Token via Remote Debug (STRD), allows them to acquire access tokens by interacting with a browser's remote debugging port in headless mode.
Umbrij's primary function is to establish a connection to a Chromium-based browser's management console via its remote debugging port. Once connected, the tool initiates a series of requests to the Gmail service. This process allows the attackers to obtain an OAuth authorization code, which is then exchanged for an access token. This token grants them the ability to access the target user's email resources through the Google API, effectively hijacking legitimate access without requiring the user's password.
The STRD technique is particularly effective because it leverages active user sessions. If a user remains logged into their Gmail account within a Chromium-based browser, the attackers can launch the browser remotely, connect to its debugging interface, and issue commands to grant access to account resources. This method exploits the trust inherent in authenticated sessions, making it difficult for standard security tools to distinguish malicious activity from legitimate user actions.
Kaspersky researchers have identified multiple versions of the Umbrij tool, indicating ongoing development and refinement. These versions include various helper functions for debugging, user account enumeration, and selection within the browser. Kaspersky has assigned several detection verdicts to the tool, including HEUR:Trojan-PSW.MSIL.Umbrij.gen, HEUR:Trojan.MSIL.Agent.gen, and HEUR:Trojan-PSW.MSIL.Agent.gen, highlighting its malicious nature.
The execution of Umbrij often involves stealthy deployment. Attackers have been observed using a scheduled task named 'KasperskyEndpointSecurityEDRAvp' to masquerade the malicious process as a legitimate security component. This is followed by the use of DLL sideloading, where the malicious Umbrij DLL is loaded by a trusted, digitally signed executable. Legitimate executables from Bitdefender (BDSubWiz.exe), Visual Studio (VSTestVideoRecorder.exe), and the discontinued Google Desktop Search (GoogleDesktop.exe) have been identified as vulnerable to this technique, allowing Umbrij to execute under the guise of a trusted application.
Umbrij itself is a .NET DLL, obfuscated using ConfuserEx to hinder analysis. It is controlled via command-line parameters, which vary depending on the specific version. These parameters can specify target browsers (Chrome, Edge, or both), the remote debugging port, the path to the browser executable, and even manipulate permission requests. Some versions also include parameters for domain administration and user context execution, suggesting a broad range of potential targets and deployment scenarios.
The implications of this attack are significant, as it provides a direct pathway to sensitive corporate email communications hosted on Gmail. By compromising cloud email accounts, threat actors can gain access to confidential information, conduct espionage, or facilitate further attacks. The reliance on OAuth and browser debugging ports represents a notable shift in APT tactics, moving beyond traditional credential harvesting or phishing methods.
To defend against Umbrij and similar threats, organizations should ensure that remote debugging ports for browsers are disabled or secured. Regularly updating security software, implementing strong endpoint detection and response (EDR) solutions, and monitoring for unusual scheduled tasks or DLL loading events are crucial. Furthermore, educating users about the risks associated with active browser sessions and the importance of logging out of sensitive accounts can add an extra layer of defense against such sophisticated attacks.