There’s a new malware threat that’s been on the rise since August. This one’s a little…weird, to be honest. But because it’s unusual and unexpected, it’s working surprisingly well at tricking people into giving up their credentials and causing massive risks of data breaches and more.
This week, we’re explaining how this malware works, why it’s been so effective, and how you can avoid getting sucked in.
Meet Amadey: A New Breed of Annoyance Malware
Amadey is what some call “annoyance malware”: it doesn’t lock up your data and threaten you for ransom, and it doesn’t do major damage to your computer or turn it into a botnet.
It just emulates a problem with Windows itself and annoys you. And this particular version makes you think the only way to solve the problem is to log in and change your settings.
You might already see where we’re going with this: the login link and screen are fake, of course. So if you enter your credentials, a second bit of malware on your machine sends those credentials straight to the bad guys.
How Amadey Looks and Works
Amadey is unique in form. It takes advantage of something good in Windows called Kiosk Mode. That’s designed for PCs that need to be locked into a single app or screen. Think of things like using a PC as a clock-in station, or to power a rolling presentation that no one’s supposed to interact with, or the way some library catalog terminals work.
Kiosk Mode is great when you intend to use it, but not so much if you’re trying to do regular work, Amadey essentially locks your PC into Kiosk Mode, locking your internet browser into full screen mode and then disabling all your navigation buttons and tools. No more address bar, no menus, no other apps — you’re stuck, and that’s pretty annoying.
Usually it’s easy to exit Kiosk Mode. Hitting F11 or Esc normally exits to your normal desktop, but not if you’ve been infected with Amadey. Instead, it looks like there’s no way to shut it off.
One thing you can do from the locked kiosk screen is click a convenient “fix it” link. It might look like a password reset link from Google or something similarly official. Don’t click it!
If you click the link, you’ll land on a lookalike login page. Provide your credentials, and boom — you’ve been phished.
How to Sidestep Amadey
The good news is that even though Amadey uses a novel approach, it’s not a particularly complex piece of malware. There are a few easy ways that may give you control back over your PC.
First, try hitting ALT+TAB, the keyboard shortcut that usually cycles through your open applications and tasks. You may be able to switch to another one and then force-kill whatever Amadey is calling itself in your application list.
ALT+F4 is another option: this keyboard shortcut forces the current window or application to close, so it could be enough to knock you out of evil kiosk mode.
If those steps don’t work, try restarting your computer. You may need to do a hard reset (holding down the power button, or even unplugging your PC from the wall).
Here’s the catch: these tricks may get you around Amadey for the time being, but they don’t actually clean up your computer. You’re still more than likely infected with malware.
If you’ve encountered this exploit on your PC — even if everything seems fine now — it’s time to get an expert to evaluate the situation and remove the malware properly.
That’s it for this week — if we can help your business with your IT needs, reach out anytime!