Umbrij workflow diagram | Image: Kaspersky Labs
Security analysts recently discovered the ToddyCat APT Umbrij tool. It hijacks corporate Gmail accounts without triggering standard security alerts. Attackers use this malware to execute OAuth token theft against enterprise networks.
- Actor or Group: Suspected ToddyCat APT
- Activity Type: Cloud email compromise and OAuth token theft
- Targets or Victims: Corporate enterprise networks and Gmail accounts
- Scale: Unknown specific victim count; causes massive data exposure risks
- Jurisdiction: Investigated by private security researchers
- Source: Kaspersky
TL;DR
The suspected ToddyCat APT Umbrij tool steals authorization codes to access corporate cloud emails. This malware connects to web browsers in headless mode to hijack active sessions. Consequently, attackers can bypass security solutions and compromise enterprise networks entirely.
What Happened
First, attackers deployed the ToddyCat APT Umbrij tool to compromise corporate email communications. The tool uses a technique called DLL sideloading to run silently on host machines. Specifically, it exploits vulnerable legitimate executables like GoogleDesktop.exe, VSTestVideoRecorder.exe, or BDSubWiz.exe.
Before executing the main payload, the malware verifies the availability of the target remote debugging port. It retrieves information about active network connections to avoid conflicts. Additionally, the tool searches the system for the explorer.exe process. It duplicates the process token to retain all associated user privileges. This allows the malware to operate smoothly within the infected environment.
Once active, the malware hunts for Chromium-based browser profiles. It checks the Local State file within the user data directory. The tool searches for active Gmail sessions belonging to the victim. Next, the malware copies the user’s browser profile into a hidden backup folder.
Subsequently, it launches the browser in the background. It uses a remote debugging port to control the application. The tool utilizes the Puppeteer library to issue commands. Because the browser runs in headless mode, the user sees nothing.
Furthermore, the tool requests an OAuth token via the Google API. It disguises itself as a legitimate Google application. Specifically, it mimics the Google Workspace Migration for Microsoft Outlook utility. Because the victim is already logged in, the browser grants the permissions automatically.
The malicious request asks for extensive permissions. It demands access to read, compose, and delete all emails. It also requests control over Google Drive files and user contacts. The tool deliberately omits security parameters like the code challenge used in standard requests. Consequently, the request bypasses typical validation checks. The attackers then extract the generated authorization code. Finally, they exchange this code for an access token to read the target’s emails.
Who Is Behind It
Researchers attribute this activity to the suspected ToddyCat APT group. These operators previously attempted to steal data directly from browsers and local email clients. However, endpoint protection platforms quickly caught those earlier methods.
According to the Kaspersky report: “The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API.”
Kaspersky identifies this specific attack method as Shadow Token via Remote Debug. The researchers tracked multiple versions of the malware. These variants share distinct technical overlaps with previously identified ToddyCat campaigns.
Impact or Scale
The exact number of compromised organizations remains unconfirmed. However, the potential impact on corporate networks is massive. Attackers gain full access to email, cloud storage, and corporate contacts. They operate entirely through the official Google API.
Therefore, traditional network monitoring tools rarely flag the malicious traffic. The threat actors can read sensitive messages, delete data, and monitor internal communications. This level of access creates severe risks for targeted enterprises. Moreover, the attackers can maintain persistent access without triggering password reset alerts.
What Comes Next and Protection
Security teams must update their monitoring strategies immediately. Network administrators should monitor endpoints for unusual remote debugging port activity. For instance, look for browsers launching with the headless command line flag.
Additionally, you should audit authorized OAuth applications within your Google Workspace environment. Look for unexpected permission grants to migration tools. Revoke any unrecognized access tokens promptly. Finally, ensure your endpoint detection software monitors for suspicious DLL sideloading activity.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.