A new malware campaign has been discovered, using an unusual method to steal Google credentials from unsuspecting users. The malware locks the user’s browser in kiosk mode, blocking the “ESC” and “F11” keyboard keys, making it seem like there’s no way out. This is done to frustrate the user into entering their Google credentials, which are then stolen by information-stealing malware.
The malware, known as Amadey, has been in use since at least August 22, 2024, and targets users who have saved their Google credentials in their browser. When launched, Amadey deploys an AutoIt script that scans the infected machine for available browsers and launches one in kiosk mode to a specified URL.
The script sets an ignore parameter for the F11 and Escape keys on the victim’s browser, preventing an easy escape from the kiosk mode. Kiosk mode is designed to limit user interaction to specific functions, making it ideal for public kiosks or demonstration terminals. In this case, it’s used to restrict user actions and limit them to the login page.
To avoid falling prey to this attack, users should be cautious when entering their Google credentials online. If you find yourself stuck in kiosk mode, try using alternative hotkey combinations like “Alt + F4”, “Ctrl + Shift + Esc”, or “Win Key + R” to bring the desktop on the foreground and cycle through open apps.
If all else fails, a hard reset by holding the Power button until the computer shuts down may be necessary. Once rebooted, run a full antivirus scan to locate and remove the malware.
Source: https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kiosk-mode-to-steal-google-credentials/