New Malware Campaign: The Rise of EDDIESTEALER
A recent cybersecurity report has unveiled a concerning trend involving a new malware campaign that disseminates a Rust-based information stealer called EDDIESTEALER. The attack utilizes well-known social engineering techniques, notably a method known as ClickFix, which revolves around deceptive CAPTCHA verification pages designed to trick unsuspecting users.
How the Attack Works
Experts from Elastic Security Labs, notably researcher Jia Yu Chan, have detailed the mechanics behind this sophisticated campaign. Initially, attackers compromise legitimate websites by embedding malicious JavaScript payloads within them. These compromised sites present fake CAPTCHA verification pages, prompting victims to confirm their identity by following an outlined process.
Victims are instructed to open the Windows Run dialog, where they paste a command that executes an obfuscated PowerShell script. This script retrieves a subsequent payload from a specified external server, marking the beginning of a chain that serves to install the EDDIESTEALER malware on the victim’s system.
The Payload Delivery Process
Once the PowerShell command is executed, a JavaScript file named gverify.js is downloaded to the victim’s Downloads folder. This script runs silently in a hidden window, fetching the EDDIESTEALER binary from the same remote server and assigning it a randomly generated 12-character filename.
EDDIESTEALER is designed to gather a wide range of system data. It can communicate with a command-and-control (C2) server, collecting sensitive information from the infected device. Targets for data exfiltration include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging applications.
Techniques Employed by the Malware
Elastic points out that EDDIESTEALER employs several advanced techniques to enhance its effectiveness and evade detection. The malware utilizes string encryption and a custom WinAPI lookup mechanism for API calls. Additionally, it creates a mutex to ensure that only one instance of the malware operates at any time.
It includes checks to determine whether it’s running in a sandboxed environment, and if it detects such conditions, it deletes itself from the disk, minimizing the risk of detection.
Handling Sensitive Data
One of the more concerning features of EDDIESTEALER is its ability to bypass Chrominium’s application-level encryption to access unencrypted sensitive data. By using a Rust version of ChromeKatz, an open-source tool, the malware can extract cookies and credentials from memory, even spawning a new Chrome instance when necessary. This new instance is positioned off-screen, remaining invisible to the user while it gathers sensitive data from the target’s browser.
Recent Developments
Recently, new iterations of EDDIESTEALER have surfaced with additional functionalities, such as the ability to harvest more detailed system information, including CPU details and GPU specifications. These enhanced features allow the malware to transmit host data to the C2 server proactively before executing specific commands.
Notably, the communication between the malware and the server is fortified by a hardcoded encryption key, mitigating risks associated with potential server-side exposure.
Broader Impact
The emergence of EDDIESTEALER coincides with a wave of new stealer malware families, including Katz Stealer and the AppleProcessHub Stealer. While EDDIESTEALER focuses on Windows systems, the AppleProcessHub Stealer is designed specifically for macOS environments, capable of harvesting a variety of user data like GitHub configurations and iCloud Keychain entries.
Recent reports highlight the attackers’ use of obfuscated JavaScript files that can trigger PowerShell scripts for malware installation. For macOS users, the campaign incorporates additional steps where the Terminal is initiated to execute shell scripts that ultimately lead to data theft.
These developments emphasize a growing sophistication in malware distribution techniques, consolidating the need for users and organizations to maintain robust cybersecurity practices to safeguard sensitive information.
As this narrative unfolds, it’s clear that staying informed about evolving threats like EDDIESTEALER is crucial for effective defense against increasingly sophisticated cyber threats. By understanding how these attacks are executed, users can better protect themselves against potential breaches.