A new technique has been uncovered by security experts, revealing how cybercriminals are now manipulating victims into entering their credentials directly into a web browser. This method, which involves the use of StealC malware and is primarily associated with the Amadey group, was first detected in August 2024.
The modus operandi of this technique is to lure unsuspecting victims into interacting with malicious web content that is specifically crafted to capture their credentials. By bypassing standard browser security measures, this approach poses a significant threat as it allows cybercriminals to gain direct access to sensitive information stored within the browser’s credential database.
Samples of this malware have been analyzed using tools like UnpacMe, which helps security researchers unpack and dissect malware to better understand their behavior and potential targets. By studying these samples, researchers can identify common patterns, trends, and emerging threats within the ever-evolving malware landscape.
The attack itself involves manipulating the victim’s browser into kiosk mode, redirecting them to a phony login page, and then trapping them in a loop that prevents them from closing or navigating away. This frustration can ultimately lead the victim to unknowingly input their credentials, which are then stored locally on their device.
Stealer malware, often working in tandem with a credential flusher, can then retrieve these stored credentials for malicious purposes. The entire process begins with the Amadey malware infecting the victim’s device, followed by the deployment of StealC and the Credential Flusher from a remote server. The Credential Flusher coerces the victim into entering their credentials by forcing the browser into kiosk mode, while StealC steals these credentials for illicit use.
To execute this attack, an AutoIt script is used as a credential flusher. This script scans for available browsers on the compromised system, launches the preferred browser in kiosk mode, and directs it to a pre-programmed website designed to pilfer credentials. In one example, victims are led to a fake Google login page disguised as account settings, tricking them into divulging their credentials for theft.
According to OALABS Research, the script in question appears to be a credential stealer, as it targets popular browsers like Chrome, Firefox, and Edge, launching a new browser window in kiosk mode to facilitate the theft of login information. The script meticulously monitors the browser window, disabling key shortcuts to prevent users from exiting the page and ensuring the successful theft of credentials.
In conclusion, this new technique employed by cybercriminals underscores the importance of staying vigilant and adopting robust security measures to safeguard against such malicious attacks. As threat actors continue to evolve their tactics, it is imperative for individuals and organizations to stay informed and proactive in defending against cybersecurity threats.