Information security industry firm Hudson Rock and information security news website Bleeping Computer pointed out that the developers of the data-stealing software Lumma recently advertised a new feature that allows them to steal cookies related to Google services from victim computers. Even if the user logs out, Still valid
Although the above functions have not been recognized by researchers orGoogleverification, but this kind of hijacking of victimsGoogleThe ability to steal Lumma accounts does not seem to be a special case, and it is reported that other hackers have mastered similar techniques. Because, three days later, another researcher g3njxa found that the hacker operating the stealing software Rhadamanthys also claimed to provide similar functions. Therefore, the above-mentioned statement that Bleeping Computer obtained the developer of Lumma is likely to be copied by competitors from their stealing software.
In this regard, Bleeping Computer also expressed concernGoogleI tried to confirm this, but received no response. However, a few days later, the hacker who developed the Lumma stealing software said,GoogleRecently, new restrictions have been introduced on Token. They have released an update program to counteract this measure. Buyers can still use the functions they provide to control the victim’sGoogleAccount number.
In response to this technique, researchers from Hudson Rock discovered the new format cookie claimed by the hackers from computers infected with the money-stealing software Lumma and conducted research. They found that it was indeed as advertised by the other party. They injected this cookie into the browser. can access the victim's Google account, and the cookie does not appear to expire.
However, when they asked the victim to change their Gmail password before testing again, the cookie was no longer valid. Researchers tried to find out the truth from Lumma developers, who revealed to them that attackers must use an "Anti-Detect Browser" to obfuscate the identification information of their own devices and disguise themselves as the configuration of the victim's computer. These researchers also hope that other security companies will participate in the investigation and express their willingness to provide the cookie files obtained above.
This is not the first time that rare techniques have been used
Does this money-stealing software really have the functions advertised by the hackers? No security personnel have yet confirmed this, but it is not the first time that these hackers have introduced extremely rare tricks into money-stealing software.
For example, the security firm Outpost24 revealed previous attacks by the money-stealing software Lumma. At that time, researchers obtained Lumma Stealer version 4.0 for analysis and found that these hackers used extremely complex techniques to avoid detection. The tricks included: controlling the process. Control Flow Flattening Obfuscation, human mouse behavior detection, XOR encryption, support for dynamic configuration files, etc.
The most special feature is the detection of user mouse operation behavior. In order to confirm whether the malicious program is executed in the researcher's sandbox environment, the hackers use trigonometry to track the position of the mouse cursor, record 50 positions at intervals of 5 milliseconds, and then calculate through Euclidean vectors. If the angle obtained is less than 45 degrees, it will be considered as human operation and the theft software will be executed.
