Researchers have uncovered a new tactic employed by hackers to steal user credentials, particularly targeting Google account passwords. This technique, which has been observed since at least August 22, 2024, exploits browser functionality to pressure users into revealing their login information.
The Open Analysis Labs (OALabs) recently published findings detailing this credential theft campaign, which utilizes malware known as StealC. The attack method is notable for its simplicity and effectiveness, relying on user frustration to achieve its goal.
At the core of this technique is the use of kiosk mode, a browser feature typically employed in public terminals. Attackers hijack this functionality to trap users in a full-screen browser window, preventing them from navigating away or closing the application. The only visible element on the screen is a login window, most commonly for Google accounts.
The Credential Flusher, as researchers have dubbed it, is not itself a credential stealer. Instead, it serves as a pressure mechanism, compelling users to enter their login details out of sheer annoyance.
Once the credentials are input, they are stored in the browser's credential store, where they become vulnerable to theft by the StealC malware.
According to intelligence provided by the Loader Insight Agency, the attack typically unfolds in several stages:
- The victim's system is initially infected with Amadey, a hacking tool that has been in use for at least six years.
- Amadey then loads the StealC malware onto the system.
- Next, Amadey deploys the credential flusher.
- The credential flusher launches the browser in kiosk mode, trapping the user.
- Frustrated, the user enters their login details, which are subsequently stolen by StealC.
The credential flusher is implemented as an AutoIt script, which identifies available browsers on the victim's computer and launches the preferred browser in kiosk mode. It then navigates to the targeted service's login page, typically Google's account login URL.
To prevent users from escaping the trap, the script disables common exit methods such as the ESC and F11 keys. This leaves users with limited options to close the browser or navigate away from the login page.
While this technique primarily targets Google account credentials, the implications extend beyond a single service. Google accounts often serve as a gateway to numerous other services and sensitive information, making them a high-value target for cybercriminals.
In a parallel development, researchers at Cleafy have identified a new variant of the TrickMo banking Trojan. This malware masquerades as the Google Chrome app for Android, adding another layer of complexity to the threat landscape.
The TrickMo variant employs sophisticated techniques to evade detection and intercept two-factor authentication codes sent via SMS.
As these threats continue to evolve, cybersecurity experts recommend several mitigation strategies:
- For users trapped in kiosk mode, alternative keyboard shortcuts like Alt + F4, Ctrl + Shift + Esc, or Ctrl + Alt + Delete may provide an escape route.
- Using the Windows Key + R combination to open a command prompt and forcibly terminate the browser process is another option.
- In extreme cases, a hard shutdown and booting into Safe Mode for a full system scan may be necessary.
- To protect against threats like TrickMo, users should only download Android software from the official Google Play Store.
The discovery of these new attack methods underscores the ongoing cat-and-mouse game between cybercriminals and security professionals.
As hackers develop increasingly sophisticated techniques, users and organizations must remain vigilant and keep their systems updated with the latest security patches.
Cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), are actively monitoring these threats. CISA has recently added a Microsoft Windows zero-day vulnerability (CVE-2024-43461) in a browser component to its Known Exploitation Catalogue, mandating federal agencies to patch their systems within three weeks.
CVE-2024-43461 was addressed by the latest Patch Tuesday security round-up from Microsoft. However, it has since been updated to zero-day status when it was discovered as already being exploited by the Void Banshee advanced persistent threat group as far back as July 2024.
The vulnerability itself sits within the MSHTML browser engine, known as Trident, which is used by Microsoft for backward compatibility reasons for Windows users.
CVE-2024-43461 is part of an exploit chain and used in conjunction with a similar vulnerability, CVE-2024-38112, that was fixed in the July 2024 Patch Tuesday updates. These are both remote arbitrary code execution payloads and MSHTML spoofing flaws.