Malawi CERT advices google services users about a malware that is using the unusual method of locking users in their browser’s kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. Specifically, the malware “locks” the user’s browser on Google’s login page with no obvious way to close the window, as the malware also blocks the “ESC” and “F11” keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to “unlock” the computer.
Once credentials are saved, the StealC information-stealing malware steals them from the credential store and sends them back to the attacker. According to researchers who uncovered this peculiar attack method, it has been used in the wild since at least August 22, 2024, mainly by Amadey, a malware loader, info-stealer, and system reconnaissance tool first deployed by hackers in 2018. When launched, Amadey will deploy an AutoIt script that acts as the credentials flusher, which scans the infected machine for available browsers and launches one in kiosk mode to a specified URL.
Kiosk mode is a unique configuration used in web browsers or apps to run in full-screen mode without the standard user interface elements like toolbars, address bars, or navigation buttons. It’s designed to limit user interaction to specific functions, making it ideal for public kiosks, demonstration terminals, etc. In this Amadey attack, though, kiosk mode is abused to restrict user actions and limit them to the login page, with the only choice being to enter their account credentials.
Malawi CERT advices Users who find themselves in this situation, to avoid entering any sensitive information on forms. Instead, try other hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’ to launch the Task Manager to terminate the browser (End Task).Pressing ‘Win Key + R’ should open the Windows command prompt. Type ‘cmd’ and then kill Chrome with ‘taskkill /IM chrome.exe /F.’
If all else fails, you can always perform a hard reset by holding the Power button until the computer shuts down. This may result in losing unsaved work, but this scenario should still be better than having account credentials stolen.
After restarting users should run a full antivirus scan to locate and remove the malware. Spontaneous kiosk mode browser launches are not normal and shouldn’t be ignored.