Full Report
An in-depth analysis of Umbrij, a new tool used by the ToddyCat APT group to compromise corporate email communications in Gmail. The attack targeted OAuth authorization tokens, allowing threat actors to gain access to Google services.
Analysis Summary
# Threat Actor: ToddyCat
## Attribution & Identity
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor that has been active since at least December 2020. While the actor’s specific national origin is not explicitly finalized in all reports, they are known for high-end cyber-espionage operations targeting entities in Europe and Asia.
* **Aliases:** None widely cited, though they are distinct from other major groups like APT28 or APT29.
* **Known Associations:** Often associated with the use of the **Ninja Trojan** and specialized loaders.
## Activity Summary
The recent campaign involves the use of a new specialized tool named **Umbrij**. This tool is designed to bypass traditional authentication by targeting **OAuth authorization tokens**. By stealing these tokens, ToddyCat gains unauthorized access to corporate Gmail communications and other Google services without needing the user's primary password or triggering standard Multi-Factor Authentication (MFA) prompts.
## Tactics, Techniques & Procedures
ToddyCat demonstrates a high level of technical proficiency in post-exploitation and credential theft.
* **OAuth Token Theft:** Extracts OAuth tokens directly from the victim's machine to hijack active sessions.
* **Email Collection:** Systematic harvesting of corporate emails from Gmail.
* **Living off the Land:** Use of legitimate utilities and specialized tools to maintain a low profile.
* **Bypassing MFA:** By using stolen OAuth tokens, the actor bypasses the need for secondary authentication factors.
* **Persistence:** Use of custom loaders to ensure tools remain active on the compromised host.
**MITRE ATT&CK IDs:**
* **T1528:** Steal Application Access Token
* **T1114.002:** Email Collection: Remote Email Services
* **T1550.001:** Use Alternate Authentication Material: Application Access Token
## Targeting
* **Sectors:** Primarily focused on Government, Defense, and large Corporate entities.
* **Geography:** Europe and Asia (specific countries often include Kazakhstan, Uzbekistan, and other regional neighbors).
* **Victims:** Corporate email systems using Google-based infrastructure.
## Tools & Infrastructure
* **Malware Families:**
* **Umbrij:** The primary tool focused on OAuth exploitation and Google service access.
* **Ninja Trojan:** A sophisticated modular malware used for long-term control.
* **Infrastructure:**
* **C2:** Typically utilizes high-reputation or compromised infrastructure to host command-and-control.
* **Defanged Examples:** hxxps[://]google-api-services[.]com (Example of lookalike domain strategy).
## Implications
The discovery of Umbrij indicates a strategic shift by APT actors toward **token-based session hijacking**. As organizations move to MFA, actors like ToddyCat are evolving to steal the "proof of authentication" rather than the password itself. This represents a high-risk threat to corporate confidentiality, particularly for organizations relying heavily on cloud-based email (SaaS).
## Mitigations
* **Token Lifecycle Management:** Implement shorter expiration times for OAuth tokens and monitor for suspicious token refreshes.
* **Conditional Access Policies:** Enforce location-based and device-compliance requirements for accessing Google Workspace/Gmail.
* **EDR Monitoring:** Monitor for suspicious processes accessing browser profile directories or registry keys where tokens may be cached (e.g., `%LocalAppData%\Google\Chrome\User Data`).
* **OAuth Scrutiny:** Regularly audit third-party application permissions within corporate Google environments to identify unauthorized "Shadow AI" or or rogue app integrations.