Newly published research has revealed how threat actors are using a devious new technique to force Chrome browser users to reveal their Google account passwords out of nothing more than sheer frustration. The credential-stealing campaign, which uses malware called StealC, locks the user’s browser in kiosk mode while blocking both the F11 and ESC keys to prevent them from escaping out of this full-screen mode. The only thing displayed on the browser screen while in this annoying and seemingly unescapable kiosk mode is a login window, most often for your Google account itself, according to the researchers.
How Hackers Use New Annoyance Technique To Steal Google Account Passwords
Threat actors have used many methods of gaining access to precious Google accounts, the key to your Gmail inbox and the security treasures contained within, or your crypto-wallet passphrase. Recently we have seen malware using optical character recognition to grab crypto passwords, and another that targets two-factor authentication codes by tricking users into giving permission to read SMS messages, for example. But now there’s a new player in town by the name of StealC, which uses perhaps the simplest yet most effective method of gaining access to Google account credentials: annoying the heck out of the victim.
The Open Analysis Lab researchers have revealed how the credential flushing campaign has been using the technique since at least August 22. In their analysis, the OALabs researchers confirmed that the hackers force the victim into entering their credentials into the browser from where the malware can then steal them. “The technique involves launching the victim’s browser in kiosk mode and navigating to the login page of the targeted service, usually Google,” the researchers said. Because kiosk mode is a full-screen deployment of the browser, and the victim is prevented from being able to navigate away from it or closing the app, only one option is made available to those unfortunate enough to get trapped this way: a Google Account login window.
Google Account Credential Flusher Is Not A Credential Stealer
Interestingly, the credential flusher itself isn’t actually a credential stealer. Instead, it just applies the necessary leverage to get the frustrated victim into entering their account credentials themselves. Once they have done that, then a bog-standard bit of credential-stealing malware, in this case StealC, deploys to grab the passwords from the Chrome browser’s credential store and deliver them to the attackers. In fact, the entire campaign is only possible by using a number of different known elements. Primarily the Amadey hacking tool, which has been in use for at least six years, that loads the malware. The OALabs researchers credit threat intelligence partners the Loader Insight Agency with helping to map put a typical attack roadmap:
- The victim is infected with Amadey.
- Amadey loads the StealC malware.
- Amadey loads the credential flusher.
- The credential flusher launches the browser, in kiosk mode.
- The victim enters their login details and these are then stolen by the StealC malware.
How To Mitigate A Kiosk-Mode Attack
Although it can seem like something of a Sisyphean task, it is still possible to exit kiosk mode without access to the more obvious ESC or F11 keys on the keyboard, as Bleeping Computer advises.
Users are recommended to try hotkey combos of Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt +Delete, and Alt +Tab which could enable you to get to your desktop and launch the Task Manager in order to kill the Chrome browser that way. Bleeping Computer also suggests using the Win Key + R combo to open a Windows command prompt from where Chrome can be killed with “taskkill /IM chrome.exe /F.”
Finally, there’s the nuclear option of a power button shutdown. If taking this approach, be sure to boot into Safe Mode with the F8 key and do a full system scan for the malware infection to prevent it happening again. Malwarebytes has a free malware scanner which can help in this system cleansing.