{"id":168557,"date":"2024-09-18T13:18:39","date_gmt":"2024-09-18T13:18:39","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=168557"},"modified":"2024-09-18T13:18:42","modified_gmt":"2024-09-18T13:18:42","slug":"credential-flusher","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/168557\/cyber-crime\/credential-flusher.html","title":{"rendered":"Credential Flusher, understanding the threat and how to protect your login data"},"content":{"rendered":"
<\/div>\n

Credential Flusher is a method that allows hackers to steal login credentials directly from the victim\u2019s web browser.<\/gwmw><\/gwmw><\/h2>\n\n\n\n

The cyber attacks have become increasingly sophisticated, putting our personal information at risk. One of the latest and most insidious techniques is Credential Flusher, a method that allows hackers to steal login credentials directly from the victim\u2019s web browser.<\/p>\n\n\n\n

The following article analyzes the operation of this technique as explained by OALABS researchers, highlighting the risks and protective measures we can take:<\/p>\n\n\n\n

https:\/\/research.openanalysis.net\/credflusher\/kiosk\/stealer\/stealc\/amadey\/autoit\/2024\/09\/11\/cred-flusher.html<\/a><\/gwmw><\/p>\n\n\n\n

Attack flow<\/strong><\/p>\n\n\n\n

The Credential Flusher method uses an AutoIt script to force users to enter their credentials in a browser operating in kiosk mode. This mode limits the user\u2019s ability to close the browser or access other applications, making it easier for hackers to obtain the desired information.<\/p>\n\n\n\n

The AutoIt script does not directly steal the credentials but works in combination with other malware, such as StealC, to extract the information. The malware is distributed via the Amadey loader (https:\/\/research.openanalysis.net\/cpp\/stl\/amadey\/loader\/config\/2022\/11\/13\/amadey.html<\/a> ), which can be spread through phishing e-mails or downloads from compromised sites.<\/p>\n\n\n\n

<\/gwmw><\/p>\n\n\n\n

\"Credential<\/a><\/figure>\n\n\n\n

Flow chart – Credit OALABS<\/p>\n\n\n\n

In the OALABS example, Amadey loads StealC and \u201cAutoIt2Exe\u201d binary (https:\/\/www.unpac.me\/results\/135c3dff-3159-4738-83ed-ed04cc09d3a8?hash=78f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078<\/a> ) from http[:]\/\/31.41.244[.]11 and executes them.<\/p>\n\n\n\n

The AutoIt script opens the legitimate Google \u201cSign in\u201d page in kiosk mode and sets a parameter to ignore the F11 and ESC keys on the victim\u2019s browser.<\/p>\n\n\n\n

Script code snippet – Credit OALABS<\/p>\n\n\n\n

The attackers hope that the victim will save the password when asked by the browser, so that it will be stolen by StealC running.<\/p>\n\n\n\n

Why and how to protect ourselves<\/strong><\/p>\n\n\n\n

Once the credentials are stolen, hackers can use them to access various online accounts, including banking, e-mail, and social media accounts. This can lead to identity theft, financial losses, and other serious consequences for the victim. To protect against attacks like Credential Flusher, it is essential to adopt a series of security measures:<\/p>\n\n\n\n