Malware annoys victims into giving up Google password

Cybersecurity researchers have discovered new malware designed to annoy and frustrate victims into giving up Google credentials.

When executed, the malware, known as Amadey, launches a script that scans the machine looking for installed browsers then launches one in “kiosk mode” to a Google login page. Kiosk mode allows a browser to be run in full screen without showing the normal user interface elements like toolbars, address bars, or navigation buttons, making it perfect for public kiosks, demonstration terminals, etc. However, the script also disables the ‘F11’ and Escape keys on the newly launched browser, making it difficult for the user to exit kiosk mode.

The user is presented with a Google login page, and with no obvious way to exit the window, enters their Google credentials out of frustration. These credentials are then promptly stolen and sent back to the threat actor.

Image 1: Seemingly inescapable Google sign-in page displayed to victims

Source: Bleeping Computer

Analysis

While it appears simple, Amadey’s method demonstrates a clever use of social engineering. Amadey first frustrates and annoys the victim, then offers them a way to end that frustration and annoyance by entering their credentials.

As a result, this method would likely be effective against less experienced computer users who are unaware of the other ways to switch between windows and applications other than by clicking on the ‘X’ or pressing the Escape key.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging tactics, techniques, and procedures (TTPs) threat actors use. Field Effect MDR users are automatically notified if these TTPs are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Amadey and other info-stealing malware are often distributed via email. Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign.

Field Effect encourages potential victims faced with a browser in kiosk mode to never input any credentials. Instead, try the following ways to exit the window:

• Hotkeys such as ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt + Delete’, and ‘Alt + Tab’.
• Typing 'Win Key + R' to open the Windows Run, then 'cmd', then the command 'taskkill /IM chrome.exe /F', which will kill Chrome.
• If all else fails, perform a hard reset by holding the Power button until the computer shuts down. (This may result in losing unsaved work)

After successfully closing the window, run a full anti-virus scan to find and remove the Amadey malware.

Related Articles

• Two infostealers flex new ability to restore expired Google cookies