A malware marketing campaign makes use of the weird methodology of locking customers of their browser’s kiosk mode to harass them into getting into their Google credentials, that are then stolen by information-stealing malware.
Particularly, the malware “locks” the consumer’s browser on Google’s login web page with no apparent solution to shut the window, because the malware additionally blocks the “ESC” and “F11” keyboard keys. The purpose is to frustrate the consumer sufficient that they enter and save their Google credentials within the browser to “unlock” the pc.
As soon as credentials are saved, the StealC information-stealing malware steals them from the credential retailer and sends them again to the attacker.
Kiosk mode theft
In accordance with OALABS researchers who uncovered this peculiar assault methodology, it has been used within the wild since at the least August 22, 2024, primarily by Amadey, a malware loader, info-stealer, and system reconnaissance instrument first deployed by hackers in 2018.
When launched, Amadey will deploy an AutoIt script that acts because the credentials flusher, which scans the contaminated machine for out there browsers and launches one in kiosk mode to a specified URL.
The script additionally units an ignore parameter for the F11 and Escape keys on the sufferer’s browser, stopping a simple escape from the kiosk mode.
Kiosk mode is a particular configuration utilized in net browsers or apps to run in full-screen mode with out the usual consumer interface components like toolbars, deal with bars, or navigation buttons. It is designed to restrict consumer interplay to particular capabilities, making it best for public kiosks, demonstration terminals, and many others.
On this Amadey assault, although, kiosk mode is abused to limit consumer actions and restrict them to the login web page, with the one obvious alternative being to enter their account credentials.
For this assault, the kiosk mode will likely be opened to https://accounts.google.com/ServiceLogin?service=accountsettings&proceed=https://myaccount.google.com/signinoptions/password, which corresponds to the change password URL for Google accounts.
As Google requires you to reenter your password earlier than it may be modified, it gives a chance for the consumer to reauthenticate and doubtlessly save their password within the browser when prompted.
Any credentials the sufferer enters on the web page after which saves to the browser when prompted are stolen by StealC, a light-weight and versatile data stealer launched in early 2023.
Exiting the kiosk mode
Customers who discover themselves within the unlucky scenario of getting locked in kiosk mode, with Esc and F11 not doing something, ought to preserve their frustration in examine and keep away from getting into any delicate data on varieties.
As an alternative, strive different hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’
These might assist carry the desktop on the foreground, cycle by way of open apps, and launch the Activity Supervisor to terminate the browser (Finish Activity).
Urgent ‘Win Key + R’ ought to open the Home windows command immediate. Sort ‘cmd’ after which kill Chrome with ‘taskkill /IM chrome.exe /F.’
If all else fails, you may all the time carry out a tough reset by holding the Energy button till the pc shuts down. This may occasionally end in shedding unsaved work, however this situation ought to nonetheless be higher than having account credentials stolen.
When rebooting, press F8, choose Protected Mode, and when you’re again on the OS, run a full antivirus scan to find and take away the malware. Spontaneous kiosk mode browser launches will not be regular and should not be ignored.