A new malware campaign has emerged, utilizing an unusual and frustrating method to steal user credentials. The malware locks the user’s browser in kiosk mode, a configuration that forces the browser to run in full-screen without the typical interface elements, like address bars or navigation buttons. This technique is specifically designed to lock users onto a Google login page, with no apparent way to close the window. Keyboard shortcuts, such as the “Esc” and “F11” keys, are disabled to prevent users from exiting the full-screen mode, thereby trapping them on the page and encouraging them to input their Google credentials to “unlock” the computer.
The browser remains locked on a URL prompting users to change their Google account password, a process that requires them to reenter their current password. The malware leverages this prompt as a tactic, hoping that users will save their credentials to the browser in an attempt to gain access. Once the credentials are entered and stored in the browser, the StealC information-stealing malware retrieves the saved details, sending them back to the attackers, thereby compromising the user’s Google account and potentially other connected services.
Researchers from OALABS have identified this attack method as part of a wider campaign, which has been observed in the wild since August 2024. This attack is primarily linked to Amadey, a malware loader and reconnaissance tool that has been in circulation since 2018. The Amadey malware deploys an AutoIt script that scans infected machines for available browsers and forces them into kiosk mode to direct the user to a specific Google login URL. This abuse of kiosk mode, typically used in public kiosks to limit user interactions, is now exploited to trick users into entering and saving their Google credentials.
Users who encounter the malicious kiosk mode should remain cautious and avoid entering any sensitive information. Researchers suggest several methods to exit kiosk mode, such as using different keyboard shortcuts, accessing the task manager, or killing the browser through the Windows command prompt. In the worst case, users may need to perform a hard reset, but this may result in losing unsaved work. Once the system is rebooted in Safe Mode, a full antivirus scan is recommended to detect and remove the malware. The appearance of unexpected kiosk mode browser launches should always be treated as suspicious and addressed promptly.
Reference:
