Skip to content

Infostealer with persistent access to users’ Google accounts spreads across Europe

Rising infostealer malware is now capable of maintaining persistent access to users’ Google accounts – even after they reset their password.

InfoStealer malware is a tool adversaries use to gather sensitive information from victims' devices. Once infected, the malware looks for configuration (for example installed antivirus) and device information and steals account credentials, saved browser data, cookies, login sessions, and even payment cards and crypto wallets. These data sets are then either directly used to further compromise the user and pivot further into the network, or sold on forums as so-called infostealer logs.

Infostealers are among the most prevalent and impactful cyber threats, targeting end users and enterprises. Over 60,000 users get infected every week. Infection by an infostealer can result in a complete compromise of all accounts that are currently logged in on the device, including online banking and emails.

LummaStealer is not easy to get rid of

One of the most notable in the recent week is one called LummaStealer, malware-as-a-service offered for sale on hacking forums, which gained functionality to steal not just your data, but retain access to your Google account even after you reset your password and clean your device.

Lumma achieves this by abusing authentication mechanisms in Chromium browsers, which, in legitimate use cases, provides the user the comfort of remembering their login session within the browser. By stealing the secret key used to refresh the authenticated session, the infostealer can generate a valid refreshed cookie for the Google account, which remains valid even after the user resets their password.

Lumma is spread either via phishing campaigns with malicious attachments, usually masked as invoices or sales offers, or in infected versions of pirated software on file-sharing or torrent sites. Its attack chain relies on DNS communication in multiple stages, from initial download to data exfiltration. Whalebone Protective DNS can therefore prevent data theft and even the initial infection.