VTA-004470 – Lumma Malware Claims to Have the Ability to Renew Expired Google Authentication Cookies
The Lumma information-stealer malware, also known as ‘LummaC2,’ is reportedly a new feature that allegedly enables cybercriminals to revive expired Google cookies, potentially leading to unauthorized access to Google accounts. Session cookies, designed to facilitate automatic login during a browsing session, typically have limited lifespans for security purposes. Lumma’s claimed ability to restore expired cookies would enable illegal access even after users have logged out or their sessions have ended. The feature, mentioned in a forum post by the malware’s developers, was introduced in a November 14 update and is exclusively available to subscribers of the high-tier ‘Corporate’ plan, priced at $1,000 per month. While the efficacy of this feature remains unverified by security experts or Google, its introduction raises concerns about potential security vulnerabilities in organizations, particularly if similar capabilities are adopted by other malware, as seen with Rhadamanthys. Lumma’s developers released an additional update following contact with Google, purporting to address newly imposed restrictions aimed at preventing cookie restoration.
Technical Impact Analysis:
Loss of Accountability, Loss of Confidentiality
T1195 – Supply Chain Compromise
T1114 – Email Collection
T1059 – Command and Scripting Interpreter
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Maintain up-to-date security software, including antivirus and anti-malware solutions.
2. Keep Google Chrome updated to address security vulnerabilities regularly released by Google.
3. Implement robust user activity monitoring and anomaly detection systems for enhanced protection.
4. Enable multi-factor authentication on all accounts, especially those associated with critical systems and applications.
5. Do not download files from untrusted sources. This includes torrent files, executables, and files from links you receive in emails or messages.
6. Exercise caution when clicking on links, even those that appear legitimate, as they could be phishing links directing you to a fake website resembling the real one.
7. In case of suspected malware infection, scan your computer with a reputable antivirus program. Alternatively, contact Provintell for Compromise Assessment and Incident Response services.
Contributed by: Edward