New research has uncovered a deceptive technique that cybercriminals are using to force Google Chrome users into revealing their Google account passwords out of sheer frustration.
The malicious campaign employs malware known as StealC, which locks the user’s browser in kiosk mode, disabling both the F11 and ESC keys to prevent them from exiting the full-screen mode.
While trapped in this kiosk mode, users are shown only a login window—typically for their Google account, according to the researchers.
Cybercriminals have long employed various methods to compromise valuable Google accounts, which often hold access to sensitive information like emails or cryptocurrency passphrases.
Recently, malware has been observed using optical character recognition to steal crypto passwords and tricking users into granting access to SMS messages to bypass two-factor authentication.
Now, the StealC malware uses a simpler but highly effective approach: frustrating the user until they enter their Google credentials.
According to the Open Analysis Lab (OALabs), this credential-stealing campaign has been active since at least August 22. The attack works by forcing the victim’s browser into kiosk mode and navigating to a login page, usually Google’s.
Because kiosk mode locks the browser into full-screen with no option to navigate away or close the window, the user’s only way out is to enter their login information.
Interestingly, the so-called “credential flusher” itself doesn’t steal the credentials directly.
Instead, it forces the user to submit them, after which the StealC malware retrieves the stored passwords from Chrome’s credential manager and sends them to the attackers.
The malware relies on several known tools, most notably the Amadey hacking tool, which has been used for over six years.
The typical attack chain, mapped out by OALabs with help from threat intelligence partners at the Loader Insight Agency, follows this pattern:
- The victim is infected with Amadey.
- Amadey loads the StealC malware.
- Amadey launches the credential flusher.
- The browser is forced into kiosk mode.
- The victim enters their login details, which are then stolen by StealC.
Additionally, researchers have identified another credential-stealing threat: a new variant of the TrickMo banking Trojan, which mimics the Google Chrome app on Android devices.
After installation, the rogue app prompts the user to update Google Play and requests elevated permissions by guiding them through enabling accessibility services. This grants TrickMo the ability to intercept SMS messages, including two-factor authentication codes.
The Trojan also uses an HTML overlay attack to capture login credentials by displaying a screen that mimics genuine login pages.
To avoid detection, the new TrickMo variant uses a tactic involving malformed Zip archive files, creating directories named after critical system files. This obfuscation can cause unzip operations to overwrite essential files, complicating malware analysis for defenders.
To mitigate kiosk-mode attacks, Bleeping Computer advises trying keyboard combinations like Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt + Delete, or Alt + Tab to access the Task Manager and terminate the Chrome browser.
The Win Key + R combination can also open a command prompt, allowing users to kill Chrome with the “taskkill /IM chrome.exe /F” command.
If all else fails, shutting down the computer and rebooting in Safe Mode is recommended, followed by a full system scan to remove the malware. Malwarebytes offers a free scanner for this purpose.
To prevent TrickMo infections, users should only download apps from trusted sources, such as the official Google Play Store, and avoid third-party downloads.
