BleepingComputer reports that malicious payloads, particularly the Amadey malware, have been locking victims' browsers into kiosk mode to lure inputs of Google credentials, which would be later exfiltrated by information-stealing malware.
Attacks as part of the campaign, which commenced in late August, involved the Amadey malware spreading a credential-flushing AutoIT script, which would launch a URL for replacing Google account passwords in kiosk mode and establish parameters that would prevent user escape via the F11 and Escape keys, an analysis from OALABS revealed. Inputting credentials on the Google password change URL would then trigger exfiltration by the StealC infostealer, according to researchers, who recommended the usage of other hotkey combinations, including 'Ctrl + Shift + Esc', 'Alt + Tab', and 'Ctrl + Alt +Delete'. Users impacted by the attack could also trigger the command prompt via 'Win Key + R' before inputting 'cmd' and killing the Chrome browser or conducting a hard reset of the impacted device.
