NNewsGPT ← Home
Africa

New 'Ambrize' Malware Exploits Google API to Steal Corporate Gmail Data

Africa2 hr ago

Cybercriminals are deploying a new malware strain named 'Ambrize' to secretly access corporate Gmail accounts and steal sensitive emails. Cybersecurity firm Kaspersky has linked this malware to the hacking group 'TAUDiCAT', which specializes in advanced persistent threats. Ambrize is specifically designed to exploit Google's Application Programming Interfaces (APIs), which are used to grant access to various Google services, enabling unauthorized access to user emails and other data. The primary targets of this campaign appear to be corporate email systems heavily reliant on Gmail.

The malware leverages the 'OAuth 2.0' protocol, which manages third-party app access to Google services. When a user grants permission, the app gains access to specific data. Ambrize manipulates this authorization process by first launching a browser in headless mode and gaining control through remote debugging ports. It then sends multiple requests to collect OAuth authorization codes, which are exchanged for access tokens, granting entry to Google services. Researchers have dubbed this technique 'Shadow Token via Remote Debug' (STRD). A particularly concerning aspect is its ability to utilize active Gmail sessions in Chromium-based browsers, allowing it to access account information by hijacking existing user sessions.

Kaspersky identified three versions of Ambrize, some of which can also identify and select specific user accounts saved in the browser. TAUDiCAT has been targeting organizations in Europe and Asia since at least 2020. Kaspersky previously reported TAUDiCAT's attempts to steal Microsoft Outlook emails using a tool called 'TractorCopy'. Ambrize was discovered during a threat hunting operation, disguised as a legitimate Kaspersky Endpoint Security EDR task. It was activated using DLL side-loading, exploiting files from legitimate software like Bitdefender's 'BDSubWiz', Microsoft Visual Studio's 'VS Test Video Recorder', and the defunct Google Desktop. Once active, Ambrize, built on the .NET platform and obfuscated with 'ConfuserEx', verifies the browser's debugging port, copies login tokens, identifies email addresses in Chrome or Edge profiles, and then initiates a headless browser session using active cookies and login data.

Using the 'Puppeteer' JavaScript library, Ambrize establishes a connection to the browser and sends an authorization request to a Google endpoint, utilizing a client ID typically used for migrating data from Microsoft Outlook/Exchange to Google Workspace. It then simulates mouse clicks to grant necessary permissions, gaining full access to Gmail, Google Drive, Contacts, Calendar, and Tasks. Finally, it collects the OAuth authorization code, stores it in a log file for the attackers, and uses it to obtain an access token, thereby compromising corporate email communications. Kaspersky advises users to regularly review authorized apps in their Google Account's 'Connections' page, specifically checking for apps like 'Google Workspace Migration for Microsoft Outlook' or 'Google Workspace Sync for Microsoft Outlook', and revoking access if they are not in use, as this will invalidate the associated OAuth tokens.

AI Analysis

This incident highlights a sophisticated exploitation of standard authentication protocols, specifically OAuth 2.0, by the TAUDiCAT group using the Ambrize malware. The technique, termed 'Shadow Token via Remote Debug' (STRD), bypasses traditional security measures by leveraging existing authenticated sessions and remote debugging capabilities within Chromium-based browsers. The malware's ability to masquerade as legitimate software and exploit trusted applications demonstrates a growing trend in advanced persistent threats (APTs) to blend in with normal network activity. The reliance on Google's API infrastructure, while enabling vast functionality, also presents a concentrated attack surface. Organizations must implement rigorous oversight of third-party application permissions and continuously monitor for anomalous access patterns. From a future-proofing perspective, the increasing sophistication of malware in exploiting user session data and authentication flows necessitates a shift towards more robust, multi-factor authentication mechanisms and potentially more granular, context-aware authorization policies that adapt to real-time risk assessments.

AI-generated to prompt reflection — not editorial opinion, not advice, not a statement of fact. How this works.

Compiled by NewsGPT from Prothom Alo (BD). Read the original for full details.