A malware marketing campaign makes use of the weird technique of locking customers of their browser’s kiosk mode to bother them into coming into their Google credentials, that are then stolen by information-stealing malware.
Particularly, the malware “locks” the consumer’s browser on Google’s login web page with no apparent solution to shut the window, because the malware additionally blocks the “ESC” and “F11” keyboard keys. The purpose is to frustrate the consumer sufficient that they enter and save their Google credentials within the browser to “unlock” the pc.
As soon as credentials are saved, the StealC information-stealing malware steals them from the credential retailer and sends them again to the attacker.
Kiosk mode theft
In line with OALABS researchers who uncovered this peculiar assault technique, it has been used within the wild since at the least August 22, 2024, primarily by Amadey, a malware loader, info-stealer, and system reconnaissance software first deployed by hackers in 2018.
When launched, Amadey will deploy an AutoIt script that acts because the credentials flusher, which scans the contaminated machine for obtainable browsers and launches one in kiosk mode to a specified URL.
Supply: OALABS
The script additionally units an ignore parameter for the F11 and Escape keys on the sufferer’s browser, stopping a simple escape from the kiosk mode.
Supply: OALABS
Kiosk mode is a particular configuration utilized in net browsers or apps to run in full-screen mode with out the usual consumer interface components like toolbars, tackle bars, or navigation buttons. It is designed to restrict consumer interplay to particular capabilities, making it supreme for public kiosks, demonstration terminals, and so on.
On this Amadey assault, although, kiosk mode is abused to limit consumer actions and restrict them to the login web page, with the one obvious alternative being to enter their account credentials.
For this assault, the kiosk mode might be opened to https://accounts.google.com/ServiceLogin?service=accountsettings&proceed=https://myaccount.google.com/signinoptions/password, which corresponds to the change password URL for Google accounts.
As Google requires you to reenter your password earlier than it may be modified, it offers a chance for the consumer to reauthenticate and probably save their password within the browser when prompted.
Supply: OALABS
Any credentials the sufferer enters on the web page after which saves to the browser when prompted are stolen by StealC, a light-weight and versatile data stealer launched in early 2023.
Exiting the kiosk mode
Customers who discover themselves within the unlucky scenario of getting locked in kiosk mode, with Esc and F11 not doing something, ought to preserve their frustration in examine and keep away from coming into any delicate data on varieties.
As a substitute, attempt different hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’
These might assist deliver the desktop on the foreground, cycle by means of open apps, and launch the Process Supervisor to terminate the browser (Finish Process).
Urgent ‘Win Key + R’ ought to open the Home windows command immediate. Sort ‘cmd’ after which kill Chrome with ‘taskkill /IM chrome.exe /F.’
If all else fails, you’ll be able to at all times carry out a tough reset by holding the Energy button till the pc shuts down. This may occasionally end in dropping unsaved work, however this situation ought to nonetheless be higher than having account credentials stolen.
When rebooting, press F8, choose Protected Mode, and when you’re again on the OS, run a full antivirus scan to find and take away the malware. Spontaneous kiosk mode browser launches are usually not regular and should not be ignored.