Newsletter
An information-stealing malware called “Lumma” or “Lumma Stealer” has recently rolled out a new feature that claims to be able to restore expired Google authentication cookies. Lumma was first discovered in 2022 and operates as a malware-as-a-service. Lumma Stealer uses a subscription-based plan where threat actors can rent and distribute the malware. In its most recent update, Lumma Corporate tier members who pay $1000 USD per month now have the capability to restore expired Google authentication cookies. If a threat actor gains access to these cookies, they can impersonate the user associated with the account and bypass standard login procedures.
Google authentication/session cookies are small pieces of data stored on a user’s device that contain information related to their login session. These cookies are crucial in maintaining user authentication, allowing users to stay logged in across different pages or sessions. Cookies span various Google services, extending beyond just Gmail accounts. Threat actors who obtain valid session cookies can effectively hijack a victim’s Google account. Cookies have expiration dates as a security measure designed to limit the window of opportunity for attackers. The combination of expiration dates and various security mechanisms make it challenging for threat actors to exploit them successfully.
Alon Gal, the CTO of Hudson Rock, first discovered the Lumma update that claims to be able to revive cookies. The update indicates it can extract non-expirable Google cookies from infected devices, even if the owner changes passwords. Lumma developers claim this is “perhaps, the biggest update since the opening of the project.” Notably, another information-stealing malware called Rhadamanthys recently announced a similar capability. When asked about this by Bleeping Computer, a Lumma agent claims the feature was copied from Lumma Stealer.
Lumma’s latest update claims to revive expired Google authentication cookies
The capabilities of Lumma Stealer have yet to be verified by Google or security researchers. As Lumma alleges, the ability to “restore dead cookies using a key from restore files (applies only to Google cookies)” is rather frightening. Google, seemingly aware of the threat, released an update that presented some restrictions to tokens. Consequently, Lumma countered with an update that “fixed Google logs.”
Stealing Google session cookies opens up a whole lot of issues. Threat actors will gain direct access to Google accounts, allowing them to exploit a range of sensitive information. Moreover, an attacker could impersonate the victim, bypassing login procedures and gaining control over their email, documents, contacts, and other personalized settings. They could send emails or messages on behalf of the victim and potentially compromise other linked accounts if the victim uses their Google credentials for multiple services. So, yes, this is a severe threat.