Extracting the refresh token
Tudorica’s state of affairs begins like most malware assaults, with a spear-phishing e mail despatched to an worker from a focused group and impersonating a enterprise affiliate for added credibility. The e-mail carries a malicious attachment which, if executed, deploys a malware implant that gives the attacker with distant entry to the Home windows machine with the privileges of the worker’s native account.
If GCPW is deployed on the system, the attacker can then got down to extract the refresh token related to the worker’s Google account. It is a particular OAuth token generated by Google’s servers following a profitable authentication that preserves the person’s lively session for a restricted time, stopping the necessity to re-authenticate when accessing a Google Workspace service.
GCPW shops the refresh token in two areas: Briefly within the system registry and later within the person’s profile within the Google Chrome browser. The token is saved in encrypted kind in each cases, however its decryption is trivial with a device like Mimikatz or by calling the Home windows CryptUnprotectData API from the identical person and machine that was used to encrypt it. In different phrases, this encryption is barely meant to guard the token if it’s copied and transferred to a different machine.
Extracting the token from the system registry is stealthier than from contained in the browser profile as a result of safety merchandise sometimes flag makes an attempt by exterior processes to learn browser knowledge as suspicious. The draw back is that the token is barely briefly accessible within the registry earlier than being moved to the browser, however this may be overcome by modifying one other worth referred to as ‘the token deal with’ that’s saved by GCPW contained in the registry. If this worth is modified, GCPW will suppose the session is invalid and can power the person to re-authenticate, inserting a brand new refresh token briefly within the registry.
The refresh token can be utilized via Google’s OAuth API to request entry tokens for numerous Google providers within the person’s title, offering the attacker with entry to knowledge saved in these providers and their numerous functionalities. This type of API entry doesn’t require multi-factor authentication (MFA) even when the account has it enabled as a result of the refresh token is issued after a profitable authentication is already accomplished, which incorporates the MFA step.
Relying on the person’s privileges within the Google Workspace surroundings the attacker can entry their Google Calendar, Google Drive, Google Sheets, Google Duties, some details about their e mail tackle and person profile, their Google Cloud Storage and Google Cloud Search, knowledge saved in Google Classroom and extra. If the worker occurs to be a Workspace administrator, they’ll additionally achieve entry to person provisioning within the Google Listing and the Vault API, an eDiscovery and knowledge retention device that permits the exporting of all emails and recordsdata for all customers inside a company. And if machine administration is enabled, an admin account may also be used to abuse its options.