A malware campaign is employing an unusual tactic by locking users’ browsers in kiosk mode to pressure them into entering their Google credentials, which are then stolen by information-stealing malware.
The malware “locks” the browser on Google’s login page, making it difficult for users to close the window as it disables the “ESC” and “F11” keys. The goal is to frustrate users into entering and saving their Google credentials in the browser to “unlock” their computer.
Once the credentials are saved, the StealC malware extracts them from the browser’s credential store and sends them to the attacker.
Kiosk Mode Theft
OALABS researchers discovered this technique has been in use since at least August 22, 2024, primarily by Amadey, a malware loader, info-stealer, and system reconnaissance tool first deployed by hackers in 2018.
When activated, Amadey deploys an AutoIt script that scans the infected machine for available browsers and forces one to launch in kiosk mode at a specified URL.
The script also disables the F11 and ESC keys, preventing the user from easily exiting kiosk mode.
Kiosk mode, typically used for full-screen applications with limited functionality like public terminals or demos, is abused in this attack to restrict the user to the login page, leaving them no choice but to enter their account credentials.
In this attack, the kiosk mode redirects to the URL: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password, which is the password change page for Google accounts.
Since Google requires users to reenter their password before making any changes, this gives attackers an opportunity to trick victims into re-authenticating and saving their credentials in the browser. Any credentials entered and saved are then stolen by StealC, a lightweight and adaptable information stealer that emerged in early 2023.
Exiting Kiosk Mode
If you’re locked in kiosk mode and the “Esc” or “F11” keys aren’t working, avoid entering sensitive information. Instead, try these alternative hotkey combinations:
- Alt + F4 to close the browser
- Ctrl + Shift + Esc to open Task Manager
- Ctrl + Alt + Delete to access system options
- Alt + Tab to switch between open apps
You can also press Win Key + R to open the Run dialog. Type cmd and use taskkill /IM chrome.exe /F to force close Chrome.
If all else fails, hold the power button for a hard reset. While this could result in losing unsaved work, it’s preferable to risking stolen credentials.
After rebooting, press F8, select Safe Mode, and run a full antivirus scan to remove the malware. Sudden kiosk mode activation is not normal and should be addressed promptly.
Thanks 🌹💕
Thanks