Threat Actors Forcing Victims to enter Login Credentials for Hijacking

A new stealer technique has been observed since August 22, 2024, forcing victims to input credentials directly into a browser, enabling subsequent theft from the browser’s credential store using traditional stealer malware

Based on the information provided by the Loader Insight Agency, it has been revealed that Amadey primarily utilizes this method when he is dropping StealC.

The attack involves forcing the victim’s browser into full-screen kiosk mode, navigating to a login page, and preventing the victim from closing or navigating away, which limits the victim’s interactions and makes them more susceptible to phishing attacks or credential theft.

The credential flusher tactic uses social engineering to trick victims into entering their credentials, which are then stored locally on their devices, which can be compromised by malware, such as stealer malware, that is often deployed alongside the credential flusher.

Network of Amadey

It is a tool that tricks victims into entering their credentials, which is often used alongside a credential stealer to steal the entered information. Intelligence suggests that it’s used in a specific deployment method, detailed in the PIVOT document.

The victim’s device was infected with the Amadey malware, which was then exploited to download and execute the StealC malware from a remote server once it had been downloaded.

Amadey downloads a malicious tool called Credential Flusher from a remote server. After launching the tool, it opens a browser in kiosk mode to trick the victim into entering their credentials, which are then captured and sent to another malicious tool called Stealc.

Login page

The Credential Flusher is an AutoIt script that identifies compatible browsers on the victim’s device, opens the chosen browser in full-screen kiosk mode, and directs it to a website designed to steal login credentials.

This URL redirects a user to Google’s account login page (“ServiceLogin”) for account settings access, which specifies “accountsettings” as the target service and includes a continuation URL pointing to the password management section (“signinoptions/password”) after successful login. 

The AutoIt2Exe binary 78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078 UnpacMe contains a packed AutoIt script, which is obfuscated and compressed to reduce its size and prevent analysis.

The script closes existing browsers and then opens a new browser window in kiosk mode, directed to a Google account settings URL, which keeps this window on top and prevents the user from closing it using Escape or F11 keys.  

According to OALABS, the samples are likely malware signatures or hashes associated with the UnpacMe malware family, which were likely extracted from infected systems and analyzed to identify unique characteristics of the malware, such as file hashes or specific code patterns. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here