Your Google Chrome passwords may be at risk. Here's how to stay safe
A new malware spotted
2 min. read
Published on
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
Key notes
- New malware locks Chrome in kiosk mode to steal passwords.
- The “Credential Flusher” script automates this with StealC and Amadey.
- Avoid entering passwords, use alternative exit methods, and update antivirus software.
A new malware campaign is targeting Google Chrome users by locking the browser in kiosk mode, which limits user interaction and frustrates individuals into entering their Google passwords.
A recent analysis by OALABS Research reveals a new credential theft technique that uses an AutoIt script known as the “Credential Flusher.” This script basically forces victims to enter their credentials into a browser running in kiosk mode, and it makes it difficult for them to exit or navigate away from the login page.
This method, observed since August 2024 and often used with StealC malware, uses the Amadey malware to drop both StealC and the Credential Flusher.
The Credential Flusher script is then executed as an AutoIt2Exe binary to automate the process of opening the targeted login page in kiosk mode and capture credentials stored in the browser’s credential store once entered by the victim.
“Once the credentials are entered, they are stored in the browser’s credential store on disk and can be stolen using stealer malware, which is deployed along with the credential flusher,” the report reads.
To avoid becoming a victim, you should refrain from entering your password, use different keyboard shortcuts to exit kiosk mode, and run a malware scan in Safe Mode if needed. It’s also important to keep your antivirus software up to date and be careful with email attachments and links from unfamiliar sources.
User forum
0 messages