Cybersecurity researchers have uncovered a sophisticated malware campaign. It leverages deceptive CAPTCHA verification pages as a lure. This campaign distributes a newly discovered infostealer. The malware is Rust-based and dubbed EDDIESTEALER. This attack represents a significant evolution in social engineering. Threat actors exploit users’ familiarity with routine security checks. The malware employs an intricate multi-stage delivery mechanism. It begins with compromised websites displaying fake “I’m not a robot” screens. This ultimately leads to deploying the powerful data-stealing tool. It harvests credentials, browser information, and crypto wallet details.
The attack vector demonstrates remarkable sophistication in its execution. Initial access occurs through compromised websites. These sites deploy obfuscated React-based JavaScript payloads. They present users with what seems like a legitimate Google reCAPTCHA. These fake screens instruct users to perform simple actions. This includes opening the Run dialog and pasting clipboard contents. Unbeknownst to victims, malicious JavaScript copied a PowerShell command. This command was copied to their clipboard. Elastic Security Labs identified this emerging threat. The campaign uses a sophisticated command structure. It silently downloads secondary payloads from attacker infrastructure. The PowerShell command retrieves a JavaScript file. This file then downloads the main EDDIESTEALER executable.
EDDIESTEALER’s impact extends far beyond simple credential theft.
It targets a comprehensive range of sensitive user data. This includes various cryptocurrency wallets from infected systems. Browser stored credentials are also a primary target. Databases from password manager applications can be stolen. FTP client configurations are additionally at risk. Data from popular messaging applications can be compromised too. EDDIESTEALER demonstrates particular sophistication against modern browser security. It implements techniques similar to the ChromeKatz tool. This allows it to bypass Application-bound encryption protections. These protections were introduced in recent Chrome browser versions.
The malware’s adaptability highlights a persistent, evolving threat.
EDDIESTEALER employs multiple layers of advanced obfuscation. It also uses various evasion techniques. These features distinguish it from conventional infostealer malware. The malware utilizes extensive string encryption through XOR ciphers. Each decryption routine employs distinct key derivation functions. This significantly complicates static analysis efforts by researchers. It implements sophisticated API obfuscation using a custom mechanism. Rather than standard import tables, it dynamically resolves functions. EDDIESTEALER also incorporates multiple anti-analysis features. This includes memory-based sandbox detection. Newer variants suggest server-side profiling by its C2. It also has self-deletion capabilities using NTFS techniques. This allows the executable to remove itself from disk effectively.
Reference:
