The latest version of the Lumma infostealer malware has a rather interesting feature: it can recover expired Google cookies, which can then be used to access the victim’s Google account.
The findings come from cybersecurity researchers at Hudson Rock, who have warned that this could spell disaster, even for organizations that follow cybersecurity best practices.
The team discovered an advertisement for the feature posted on a dark web forum stating that the version released on November 14 “can recover dead cookies using a key from recovery files.” The advertisement further emphasizes that this only applies to Google cookies.
Fixing the bugs (silently)
Hackers who want to purchase this version of the infostealer should prepare $1,000 as that is how much a one-month subscription costs.
Lumma’s developers further explained that each session cookie cannot be used more than twice, meaning it can only be recovered once. However, that is more than enough to launch a devastating attack on any organization. BleepingComputer comments.
Google has not said anything about the issue so far, but is hopefully working in the background to resolve the problem.
The company hasn’t commented on the findings, but a few days after they were tipped off, Lumma released a new version that bypasses Google’s “newly introduced” restrictions. So it’s safe to assume there’s a bit of a back and forth between Google and Lumma at the moment.
To make matters worse, it appears that Lumma isn’t the only infostealer with cookie recovery capabilities either. Rhadamanthys recently announced a similar feature, prompting media to speculate that hackers may have found a security vulnerability. However, Lumma’s developers disagreed, as they said in a conversation with BleepingComputer that Rhadamanthys had blatantly copied their design.
At this point, it’s difficult to determine if the feature even works as advertised or not. To be on the safe side, make sure you only download programs and applications from verified sources.