Recent intelligence indicates a new technique employed by stealers to trick victims into entering credentials directly into a browser, enabling subsequent theft from the browser’s credential store.
This method, used in conjunction with StealC malware, was first observed in August 2024 and is primarily deployed by Amadey.
The technique involves forcing victims to interact with malicious web content designed to capture credentials, bypassing traditional browser security measures, which presents a significant security risk as it allows for direct access to sensitive information stored within the browser’s credential database.
The provided samples, which are identified by their unique hashes, are examples of malware that have been analyzed using the UnpacMe tool, which likely represent different variants or families of malware, as indicated by their distinct hashes.
UnpacMe is a tool designed to unpack and analyze malware, enabling security researchers to gain insights into their behavior, techniques, and potential targets.
By analyzing these samples, researchers can identify common patterns, trends, and emerging threats within the malware landscape.
The attack involves forcing the victim’s browser into kiosk mode and redirecting it to a login page, which prevents the victim from closing or navigating away, causing frustration and potentially leading to the entry of their credentials.
Once entered, the credentials are stored locally on the device.
Stealer malware, often deployed alongside the credential flusher, can then steal these stored credentials for malicious purposes.
The attack chain begins with Amadey malware infecting the victim’s device, and then loads StealC and the Credential Flusher from a remote server.
Credential Flusher forces the victim to enter their credentials by launching the browser in kiosk mode, while StealC, in turn, steals these credentials.
The entire process is designed to exploit vulnerabilities in the victim’s system and obtain sensitive information.
An AutoIt script acts as a credential flusher, which first checks for available browsers on the compromised system, then launches the preferred browser in kiosk mode, restricting user actions, and finally navigates the browser to a predefined website designed to steal credentials.
In the provided example, it directs the user to a Google login page disguised as account settings by tricking the victim into entering their credentials, which a separate malware component can then steal.
According to OALABS Research, the script appears to be a credential stealer, as it first closes any open web browser windows belonging to Chrome, Mozilla Firefox, or Internet Explorer.
Then, it checks for the presence of Microsoft Edge, Google Chrome, or Brave browser and sets the appropriate executable and window class name to launch a new browser window in kiosk mode.
The script opens a URL linked to Google account settings. It continuously monitors the browser window, bringing it to focus if needed by disabling shortcut keys like Escape and F11 to prevent the user from exiting the browser, and potentially steals credentials by tricking the user into entering them on the opened web page.