Google's campaign to steal credentials and take control of corporate accounts

A recent report from the CTM360 intelligence firm reveals an active campaign that is taking advantage of Google's ecosystem to spread malware and take control of corporate accounts. According to the analysis published by CTM360, attackers have created thousands of groups on Google Groups and hundreds of links hosted in Google services to gain confidence and distribute tools designed to steal credentials and maintain persistent access to affected teams. You can see the full report on the CTM360 site: https: / / www.ctm360.com / reports / ninja-browser-lumma-infostealer.

Social engineering is the starting point: operators infiltrate forums and thematic groups where legitimate technical issues are discussed and publish entries that look like useful solutions or downloads, including company names and key words of the sector to give appearance of authenticity. Within these threads they place disguised links - for example, invitations to "download" supposedly specific tools for an organization - and use shorters or readdresses hosted in Docs and Drive to evade filters and hide the final delivery chain.

In Windows computers the download led to a password-protected compressed file. When decompressing, the actual volume of the file deceives the detection engines: the container can expand to almost one gigabyte, but the malicious component occupies only one fraction (according to CTM360, about 33 MB), while the rest is filled with null bytes to make it difficult to scan static. When executed, the installer rebuilds fragmented binaries and launches a component compiled with AutoIt that decrypt a load in memory. The observed behavior coincides with that of a commercial infostealer known as Lumma, which points to browser credentials and session cookies, runs shell commands and exfilters data using HTTP POST requests to control and control servers identified by researchers. CTM360 provides indicators such as associated domains and hashes that allow the detection and blocking of this infrastructure.

For Linux users the trap has another side: instead of a heavily filled ZIP, the victims are directed to install a modified Chromium browser under the brand "Ninja Browser." At first sight it promises privacy and anonymity, but in the background it integrates malicious extensions that are installed without the user's consent and hidden mechanisms to maintain the attacker's presence in the system. One of these extensions, analyzed by CTM360, acts as a tracking and handling agent: it assigns unique identifiers to users, injects scripts into web sessions, manages tabs and cookies, and downloads remote content using heavily obfuscated JavaScript.

The researchers also found programmed tasks that consult daily-controlled servers, silent update procedures and redirections to suspicious search engines, suggesting an architecture designed for future developments of the attack. The domains linked to the project include variants related to "ninja-browser," and CTM360 also lists IP addresses and a C2 domain (e.g., healgeni [.] live) that allow security teams to block and track malicious activity.

This type of campaign fits into a trend that has already documented multiple security sector actors: the abuse of legitimate platforms and cloud services to distribute malicious code reduces friction and exploits the presumption of user confidence and filters. From phishing with documents hosted on Google Drive to useful charges that rest on legitimate archiving services, the use of "trust" infrastructure complicates traditional detection; it is a pattern that has been observed in previous incidents and that security analysts have been warning in recent years, as reflected in specialized press reports and technical analysis on cloud service abuse (see for example the general follow-up on this type of attack published by KrebsOnSecurity).

From the technical point of view, the techniques used by the operators - pating of binaries to avoid analysis, reconstruction in time of execution with AutoIt and loads in memory - are not new in themselves, but their combination with the visibility it provides to accommodate elements in domains and reputed services makes them effective. Security companies like ESET have documented how AutoIt and other scripting languages are abused to pack and execute malicious loads, and therefore response teams should be attentive to performance indicators rather than static signals: WeLiveSecurity / ESET provides useful explanations about these techniques.

The consequences for organizations can be serious: the theft of credentials and session tokens facilitates the kidnapping of accounts, financial fraud and lateral movement within corporate networks, while components installed furtively can function as back doors for future operations. This is why security teams should combine technical measures and training: review redirection chains (especially those passing through Docs / Drive), block engagement indicators at firewall and EDR level, audit browser extensions and monitor the creation of scheduled tasks or unusual processes in endpoints. CTM360 suggests a similar set of actions and publishes IoC that facilitate their incorporation into detection rules; the report is available at: CTM360 - Ninja Browser & Lumma Infostealer.

To contextualize these recommendations in more general good practice, identity and access managers should review credentials protection and public account abuse detection guides, such as those provided by Microsoft in their technical identity protection documents, and apply risk-based access controls and multifactor authentication where possible. Microsoft's guidelines on defense against credentials theft and identity management are a good starting point: Microsoft - Identity Protection. In addition, users should receive practical training to recognize signs of fraud in public forums and avoid installing software from unverified sources; awareness materials and phishing exercises help reduce the likelihood of this type of lure being successful.

At the operational level, incorporating the monitoring of external threats that monitor third-party forums, pages and hosting services is increasingly necessary. Tools that detect changes in brand-related domains, the appearance of suspicious downloads or the use of legitimate services to redirect malicious traffic bring early visibility. CTM360, together with other intelligence providers, keeps up-to-date domain listings, PIs and hashes associated with the attack; its report includes data that can be integrated into blocking solutions and incident response processes.

The campaign described by CTM360, which combines a commercial infostealer with a jammed browser and a strategic use of trust services, is a reminder that modern security requires attention to both the technique and the human factor. Maintaining communication channels with security providers, quickly distributing commitment indicators and strengthening users' digital hygiene are actions that reduce the impact of such attacks. For those who want to deepen the findings and take advantage of the IoC provided by the researchers, the original report is available on the CTM360 website: https: / / www.ctm360.com / reports / ninja-browser-lumma-infostealer.