Advanced Phishing Tactic Exploits Kiosk Mode to Force Credential Entry
Threat Group: Amadey
Threat Type: Credential theft (Browser lock, Kiosk mode exploitation)
Exploited Vulnerabilities: No direct system vulnerability, but uses deceptive phishing techniques to trick users into entering credentials.
Malware Used: Amadey malware loader, StealC info stealer, and AutoIt Credential Flusher
Threat Score: High (7.8/10) — This campaign is particularly dangerous due to its stealthy method of locking users in browser kiosk mode, forcing them to input credentials that are later stolen by StealC malware.
Last Threat Observation: September 14, 2024
Overview
The Autolit Credential Flusher campaign uses a novel and aggressive phishing technique to steal user credentials by locking the victim's browser in kiosk mode. This prevents users from easily exiting the browser and leads them to believe that entering their credentials is the only way to regain control of the system. This technique forces the victim to a Google login page, where they are coerced into re-authenticating. Once the credentials are entered, they are stored in the browser, where the StealC malware can extract and exfiltrate them.
The attack is typically initiated through the Amadey loader, which downloads both the Credential Flusher script and the StealC malware. The campaign has been active since August 2024 and has primarily targeted Google account credentials.
Key Details
- Kiosk Mode Exploitation: The AutoIt script locks the victim's browser into kiosk mode, restricting their ability to close or navigate away from the page.
- Amadey Malware: Used to deploy both the StealC info stealer and the Credential Flusher.
- StealC Malware: Extracts stored credentials from the browser once they are entered.
- Active Since August 2024: This threat has been observed in the wild, showing persistence and adaptation in phishing techniques.
Attack Vectors
- Initial Infection: The victim is infected with Amadey, a malware loader that deploys multiple malicious payloads.
- Credential Flusher Execution: An AutoIt script runs, identifying available browsers and launching one in kiosk mode.
- Forced Credential Entry: The victim is forced to a Google login page and prompted to enter their credentials.
- Credential Theft: The credentials are stored in the browser and extracted by StealC, which sends them to the attacker's server.
Known Indicators of Compromise (IoCs)
File Hashes (SHA-256):
- Amadey Malware:
0ec952da5d48ceb59202823d7549139eb024b55d93c2eaf98ca6fa99210b4608
- StealC Malware:
99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
- Credential Flusher:
78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078
Malicious URLs:
- StealC download:
http://31.41.244[.]11/steam/random.exe
- Credential Flusher download:
http://31.41.244[.]11/well/random.exe
Mitigation and Prevention
- Do not enter credentials: If you find yourself locked in a browser, avoid entering sensitive information. Use Task Manager or hotkey combinations such as Ctrl+Alt+Del to force-quit the browser.
- Deploy Anti-malware Tools: Ensure that anti-malware solutions are updated and capable of detecting and blocking Amadey and StealC malware.
- Block IoCs: Implement URL filtering to block access to the malicious URLs and monitor your environment for the listed SHA-256 hashes.
- Update Systems: Regularly update browsers and operating systems to prevent attacks that exploit older versions.
Conclusion
The Autolit Credential Flusher is a highly deceptive phishing campaign that employs kiosk mode to lock users in a browser and forces them to input their credentials, which are then stolen by the StealC malware. The attack, propagated by the Amadey loader, is a prime example of the evolving tactics in credential theft campaigns. Organizations should ensure proper defenses are in place, including blocking malicious URLs and regularly updating their security solutions to detect and neutralize this threat.
Sources
- OALABS Research: "AutoIt Credential Flusher" OALABS
- Bleeping Computer: "Malware locks browser in kiosk mode to steal Google credentials" Bleeping Computer