The ToddyCat advanced persistent threat group has developed a sophisticated tool called Umbrij that compromises Gmail accounts by exploiting OAuth authorization mechanisms in Chromium-based browsers. Kaspersky researchers discovered the malware during proactive threat hunting operations when they identified a suspicious scheduled task named "KasperskyEndpointSecurityEDRAvp" launching digitally signed files on user systems. The attackers deliberately chose this name to masquerade their malicious activity as legitimate Kaspersky processes, though the security vendor does not create tasks with that designation.
Umbrij operates by connecting to browsers through remote debugging ports, a feature typically used for automated testing frameworks like Selenium. The tool launches Google Chrome or Microsoft Edge in headless mode (without a graphical interface) while loading copied user profile data that contains active session cookies. Because users often remain logged into their Gmail accounts, the browser maintains these authenticated sessions, which the attackers exploit to request OAuth authorization codes. They subsequently exchange these codes for access tokens that grant full API access to the victim's Google account resources. Kaspersky has designated this attack method as Shadow Token via Remote Debug (STRD).
The malware arrives on target systems through DLL sideloading techniques, exploiting legitimate signed applications including Bitdefender's BDSubWiz.exe, Visual Studio's VSTestVideoRecorder.exe, and the discontinued Google Desktop Search application. Umbrij itself is a .NET DLL obfuscated with ConfuserEx and accepts various command-line parameters to control its behavior. The tool can target specific user accounts through regex pattern matching, specify custom debugging ports, and operate across multiple browser profiles simultaneously. Researchers have identified three distinct versions of the malware with varying capabilities.
Before executing its primary function, Umbrij performs extensive environment preparation. It verifies port availability for debugging connections, duplicates access tokens from the explorer.exe process to obtain user context (a technique also used in ToddyCat's TomBerBil tool), and searches the Local State configuration file to identify authenticated Google accounts. The malware then copies critical browser data including IndexedDB folders, login credentials, preferences, and web storage to backup directories. This preparation ensures the headless browser instance has all necessary authentication artifacts to maintain active sessions.
Organizations should implement several defensive measures to detect and prevent these attacks. Monitor for scheduled tasks with names mimicking legitimate security software, watch for browser processes launched with remote debugging parameters (particularly the remote-debugging-port flag), and review OAuth token generation events in Google Workspace audit logs. Kaspersky detects Umbrij variants as HEUR:Trojan-PSW.MSIL.Umbrij.gen and related signatures. Security teams should also restrict remote debugging capabilities in production environments, implement application whitelisting to prevent DLL sideloading attacks, and enforce policies requiring users to log out of cloud services when not actively using them.
Source: https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/


