The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API.
"In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources."
The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser's management console in headless mode via a remote debugging port.
Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API. The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor.
What's notable about the attack is that it's viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode, connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources.
Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.
ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group's use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies.
The cybersecurity company said it discovered Umbrij during what it described as a "threat hunting operation," as part of which a scheduled task impersonating its software ("KasperskyEndpointSecurityEDRAvp") was used to launch a digitally signed file. The signed file then employed DLL side-loading to launch Umbrij.
To accomplish this task, three legitimate binaries susceptible to DLL side-loading were abused -
- BDSubWiz.exe, a component of the Submission Wizard in Bitdefender ConnectAgent
- VSTestVideoRecorder.exe, a component of the video-recording tool used for testing with Microsoft Visual Studio
- GoogleDesktop.exe, a discontinued Google Desktop Search application used for indexing files and performing quick searches on a local Windows computer
Regardless of the executable used, the end result is the same: launching the rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator. The tool can also be invoked along with command-line parameters that specify which browsers to target (Google Chrome or Microsoft Edge), instruct it to save a screenshot of the user profile as a PDF file, and provide the system username under which the tool will run.
![]() |
| Umbrij workflow diagram |
Umbrij, once launched, performs a series of preparatory actions on a compromised Windows host to breach the Gmail account -
- Verify the availability of the port that will be designated for browser debugging.
- Retrieve the user context by searching for the "explorer.exe" process and duplicating the token of the first such process it encounters in order to retain all of that logged-in user's privileges. Alternatively, the -user <username> switch can be used alongside the tool to specify the target user whose token needs to be duplicated.
- Construct the path to the web browser application folder within the user's local application data repository and then parse the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles.
- Enumerate all profiles and scan them for a field named "user_name" that includes an email address. It's worth noting that the presence of an email address signals that the user is authenticated to a Google service.
- Create a directory called "BackupFiles" within "%LOCALAPPDATA%\Google\Chrome\" and "%LOCALAPPDATA%\Microsoft\Edge\."
- Copy the following files and folders of each target user profile into them: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. Should these files be locked by other processes, the tool includes a force-copy mechanism.
- Search the "Program Files" and "Program Files (x86)" folders for the browser installation folder for Chrome and Edge.
- Launch the browsers in headless mode by using the user profile copied to the "BackupFiles" folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.
- Use Puppeteer, a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, to connect to the remote debugging port and send an authorization code request to direct the browser to a "accounts.google[.]com/o/oauth2/v2/auth/identifier" URL containing a "client_id" that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application. Use JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks.
- Redirect the browser session to a local address specified in the initial request and extract the OAuth authorization code from it.
"Umbrij, like most other tools in ToddyCat’s arsenal, logs its actions in detail and saves them to a file," Kaspersky said. "It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host."
"The acquired authorization code is then exchanged for an OAuth access token. The threat actors use that token to connect to the Gmail account through the API, thus compromising corporate email communications."
To counter the threat, it's advised to review the authorization codes granted to applications by navigating to "myaccount.google[.]com/connections" and then looking for applications named "Google Workspace Migration for Microsoft Outlook" or "Google Workspace Sync for Microsoft Outlook." If either of those applications is present and is not actually used within the organization, it's essential to revoke their access to invalidate the OAuth tokens.
"The ToddyCat APT group continues to search for ways of compromising corporate email communications," Andrey Gunkin, senior malware analyst at Kaspersky, said. "Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills."
from The Hacker News https://ift.tt/HFyew81
via IFTTT

No comments:
Post a Comment