Get acquainted: recently in the global ecosystem malicious software appeared new member – StealC. This is malware that steals confidential information from PCs and other devices. It can steal passwords, credit card details, personal documents and other important information. StealC spreads via phishing emails, infected websites, or malicious attachments.
Features of StealC that make it particularly dangerous
StealC uses simple methods to steal credentials, making it accessible even to inexperienced hackers. It specifically targets users of Chrome, perhaps the most popular browser in the world, which increases the number of potential victims.
Malware can steal credentials stored in your browser: passwords, logins, and other sensitive information. Due to its simplicity, StealC can quickly gain access to a large number of accounts.
Annoyance is the most effective way to hack personal data
StealC uses the simplest, yet most effective method of gaining access to personal Google account data: annoying the victim. Researchers at the Open Analysis Lab, a platform that provides automated malware analysis services, discovered that the credential laundering campaign has been using this technique since at least August 22. OALabs researchers confirmed that hackers force the victim to enter their credentials in a browser, where the malware can steal them.
A credential-stealing campaign using StealC locks the user’s browser in kiosk mode while locking the F11 and ESC keys to prevent exiting full-screen mode. The only thing displayed on the browser screen in this annoying mode is a login window, usually for your Google account.
Google credential washer is not credential theft
Credential harvester is malicious software that does not steal credentials directly. Instead, it creates conditions in which the user voluntarily enters their credentials, usually through fake web pages or applications. After that, StealC is activated, which steals passwords from the Chrome browser and gives them to attackers. This campaign is made possible by the use of several known tools, such as Amadey, which downloads malware.
Here is an approximate attack scenario:
—The victim is infected by Amadey
— Amadey downloads a credential cleaner
—The credential washer starts the browser in kiosk mode.
—The victim enters their login credentials, which are then stolen by StealC.
Security measures against the StealC threat
Make sure you have up-to-date antivirus software that is regularly updated to detect new threats. Always use the latest version of Chrome, as updates often include security fixes.
Don’t leave a chance for phishing attacks: don’t click on suspicious links in e-mails or on sites that can redirect you to malicious resources. Use two-factor authentication: Enable 2FA for your Google Accounts for an extra layer of protection.
Remove unnecessary or suspicious browser extensions that can be used to steal data. Use strong and unique passwords for different accounts and change them regularly.
New TrickMo banking trojan using fake login screens and 2FA interceptor
In addition to the StealC threat, Chrome users face another credential theft threat. Researchers from Cleafy’s threat intelligence team have discovered a new variant of the banking Trojan – TrickMo – that masquerades as an app for the Google Chrome web browser for Android.
After installing the malicious app, the victim receives a warning about the need to update Google Play and sees a dialog box with a confirmation button. In fact, another application called Google Services is installed, which requests access to the user’s permissions. The app guides the user through the process by guiding them to enable accessibility services for the app.
The attackers then gain the elevated permissions needed to intercept the SMS and any two-factor authentication one-time codes transmitted in this way. TrickMo also uses an HTML overlay attack, which consists of displaying a screen that looks like a real login, to intercept account credentials.
To avoid detection of the malware by browsers and devices, TrickMo uses a technique of distorting Zip archives. Its essence is to create directories that have the same names as critical system files. “This sneaky strategy can cause important system files to be overwritten during unzipping, making further analysis difficult”, – note the researchers. They add that it also creates difficulties for automated analysis tools used by cyber defenders, as “an incorrect archive structure can cause errors or incomplete file extraction, which greatly complicates the analysis process.”
How to defend against kiosk mode attacks and TrickMo attacks
At first glance, this is a Sisyphean task, but it is still possible to exit kiosk mode without accessing the more obvious ESC or F11 keys on the keyboard.
Users should try the Alt + F4, Ctrl + Shift + Esc, Ctrl + Alt + Delete and Alt + Tab hotkey combinations to get to the desktop and launch the task manager to kill Chrome. You can also use the Win + R key combination to open the Windows command prompt, from where Chrome can be killed with “taskkill /IM chrome.exe /F”.
Finally, there is a radical alternative – turning it off with the power button. If you choose to use this method, be sure to boot into safe mode by pressing F8 and run a full system scan for malware to avoid re-infection. Malwarebytes offers a free malware scanner that can help clean up your system.
To avoid being attacked by the latest version of TrickMo, the advice is simple: download the Android software exclusively from the official Play Store.
How else can criminals steal your personal data
Criminals use many methods to gain access to valuable Google accounts, keys to your Gmail mailbox and important data stored in it, or the passphrase of your crypto wallet. For example, there is harmful software, which uses optical character recognition (OCR) technology to intercept crypto passwords, as well as other software that targets two-factor authentication codes, tricking users into giving permission to read SMS messages. But this is a topic for a separate conversation.
Tatyana Morarash
