Google Chrome is at risk of running malware-ridden extensions, but that's not the only risk you are running into. In fact, you need to be extra careful when it comes to credential-stealing campaigns involving your Google account passwords.
Recently, the hackers did this by using a piece of malware called StealC that locks Chrome into kiosk mode and disables the F11 and ESC keys essentially keeping the users in full-screen mode. This annoying attack is aimed at making the user input their Google login details which are then harvested by the attackers.
Chrome Kiosk Mode of Hacking
This is the case of the Chrome Kiosk Mode where hackers have evolved elaborate ways and means to take over Google accounts, which by and large, offer control to key data such as emails and credit card details.
Earlier malicious programs have used OCR to steal crypto passwords and have hijacked two-factor authentication codes by tricking their owners into giving the malware permission to read the SMS.
Now, a new threat has emerged in the form of StealC malware, which takes a more straightforward approach: frustrating users into giving up their credentials.
Researchers at Open Analysis Lab (OALabs) have uncovered how hackers, since at least August 22, have been deploying this malware to coerce users into entering their Google credentials.
The attack begins by launching the victim's Chrome browser in kiosk mode, displaying only a login window, usually for a Google account. Since kiosk mode is full-screen and locks the user out of other system functions, victims are left with no option but to enter their login details, unaware that their credentials are about to be stolen.
The StealC Credential Flushing Campaign: A Clever Tactic
Unlike traditional malware, StealC doesn't steal credentials by itself. Instead, it relies on frustrating the user by preventing them from entering their information voluntarily. Once the user inputs their Google account details, the StealC malware retrieves these credentials from Chrome's stored data and sends them to the hackers.
This technique combines several known elements, most notably the Amadey hacking tool, which has been active for six years.
Here's how a typical attack unfolds, according to Forbes.
- The victim's system gets infected with Amadey.
- Amadey deploys the StealC malware.
- The StealC malware launches a credential flusher.
- The credential flusher forces the browser into kiosk mode.
- The victim enters their credentials, which StealC then captures.
TrickMo Malware: A New Android Threat Using Fake Google Screens
As if StealC wasn't enough, security experts have also identified a new version of the TrickMo banking Trojan targeting Chrome users on Android.
Disguised as the Google Chrome app, this malware tricks users into installing a rogue app that appears to require Google Play updates. The user is then asked to enable permissions for an app called Google Services, which grants the attackers access to SMS messages and two-factor authentication codes.
TrickMo uses HTML overlay attacks to display fake login screens, which are nearly indistinguishable from legitimate ones. It also utilizes malformed ZIP archive files as a method to evade malware detection systems, making it difficult for cybersecurity tools to analyze and detect the threat effectively.
Mitigating the Kiosk-Mode Attack and TrickMo Malware
Though it seems like a daunting task, there are ways to escape Chrome's kiosk mode without access to the ESC or F11 keys. According to Bleeping Computer, users can try hotkey combinations like Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt + Delete, or Alt + Tab. These combinations may allow users to return to the desktop and open Task Manager, where they can terminate the Chrome process.
Another option is using the Win Key + R to open a command prompt and kill Chrome using the command "taskkill /IM chrome.exe /F."
If these solutions fail, a forced shutdown might be necessary, according to Bleeping Computer. After restarting, booting the computer into Safe Mode and conducting a full malware scan using tools like Malwarebytes can help remove any infections and prevent future attacks.
To mitigate the TrickMo malware threat, users should avoid downloading software from sources other than the official Google Play Store. Stick to trusted applications, and always be cautious when granting permissions to apps that seem suspicious.
