Malware Steals People's Google Credentials By Locking Chrome In Kiosk Mode To Create Frustration

Chrome hacker

Google, as one of the biggest entities the web has ever seen, is pretty much at the center of people's lives.

A Google account can hold data needed to sign in to third-party websites and apps, access to Gmail emails, and all other privacy treasures contained within, that can contain pretty much anything users do on their phones, if they have an Android, and/or their online activities.

It may also contain crypto-wallet passphrase, and many more in between.

This is why a Google account can unlock so many things, and this is why hackers are trying to get their hands on them.

And here, a research has revealed how threat actors are using a devious technique to force Google Chrome browser users into reveal their Google account passwords out of nothing more than sheer frustration.

In a credential-stealing campaign, hackers use a malware called 'StealC.'

In a report, researchers from OALabs have found a novel way hackers are doing to extract Google credentials from people, by making them input their credentials themselves because of frustration.

The method involves launching Amadey, a malware loader, info-stealer, and system reconnaissance tool first deployed by hackers in 2018.

When launched, Amadey will deploy an AutoIt script that acts as the credentials flusher, which scans the infected machine for available browsers and launches the kiosk mode to a specified URL.

In this case, the campaign is locking people's web browser in kiosk mode, while blocking both the F11 and ESC keys to prevent them from escaping out of this full-screen mode.

Kiosk mode on a computer is a specialized setting that locks the system into running a single application or a limited set of functions, restricting users from accessing the desktop, system settings, or other programs. It's commonly used in public-facing devices like self-service kiosks, information terminals, and digital signage.

In kiosk mode, users are confined to a specific interface, ensuring they can't tamper with the machine or use it for anything outside its intended purpose.

And here, the kiosk mode people are seeing, only displays the browser, and a login window, where users can sign in to their Google account.

In their analysis, the OALabs researchers confirmed that the hackers force the victim into entering their credentials into the browser from where the malware can then steal them.

"The technique involves launching the victim's browser in kiosk mode and navigating to the login page of the targeted service, usually Google," the researchers said.

Chrome
Forcing an unescapable kiosk mode on Microsoft Windows machines, to create frustration.

In order for this attack to work, the kiosk mode opens a specific URL from Google, which corresponds to the change password URL for Google accounts.

As Google requires users to reenter their password before it can be changed, it provides an opportunity for the malicious actors to have people reauthenticate and potentially save their password in the browser when prompted.

The method of attack is initiating a credential flusher, which applies the necessary leverage to frustrate people, and make them enter their account credentials themselves into the trap.

Once they have done that, the StealC then acts as the credential-stealing malware, and grabs the passwords from the Chrome browser’s credential store and deliver them to the attackers.

Users who find themselves in the unfortunate situation of getting locked in kiosk mode, should keep their frustration in check and avoid entering any sensitive information on the provided forms.

This is because spontaneous kiosk mode browser launches are definitely not normal and shouldn't be ignored.

Chrome
Amadey, at work.

To escape the trap, people can try hotkey combos, like Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt +Delete, and Alt +Tab.

Those may help bring the desktop on the foreground, or allowing users to cycle through open apps, or launch the Task Manager to terminate the browser.

People can also try pressing the Windows key + R to run 'cmd' to then kill Chrome with taskkill /IM chrome.exe /F.

If all else fails, people can always perform a hard reset by holding the power button until the computer shuts down.

While this may result in losing unsaved work, but this scenario should still be better than having account credentials stolen.

When rebooting, press F8 to go to Safe Mode, and once back in to Microsoft Windows, users can run a full antivirus scan to locate and remove the malware.

As a security measure, people are always urged to use multi-factor authentication method to add another security layer on top of their existing username-password combination.

Published: 
19/09/2024