Cybersecurity researchers have uncovered a sophisticated malware campaign leveraging deceptive CAPTCHA verification pages to distribute a newly discovered Rust-based infostealer dubbed EDDIESTEALER.<\/p>\n
This campaign represents a significant evolution in social engineering<\/a> tactics, where threat actors exploit users\u2019 familiarity with routine security verification processes to trick them into executing malicious code.<\/p>\n The malware employs an intricate multi-stage delivery mechanism that begins with compromised websites displaying convincing fake \u201cI\u2019m not a robot\u201d verification screens, ultimately leading to the deployment of a powerful data-stealing tool capable of harvesting credentials, browser information, and cryptocurrency wallet<\/a> details.<\/p>\n The attack vector demonstrates remarkable sophistication in its execution methodology. Initial access occurs through compromised websites that deploy obfuscated React-based JavaScript payloads, presenting users with what appears to be a legitimate Google reCAPTCHA verification interface.<\/p>\n These fake verification screens instruct users to perform seemingly innocuous actions: pressing Windows Key + R to open the Run dialog, followed by Ctrl + V to paste clipboard contents, and finally Enter to execute the command.<\/p>\n Unbeknownst to the victim, the malicious JavaScript has already copied a PowerShell command to their clipboard using the document.execCommand(\u201ccopy\u201d) method.<\/p>\n Elastic Security Labs analysts identified<\/a> this emerging threat through comprehensive telemetry analysis, discovering that the campaign leverages a sophisticated command structure that silently downloads secondary payloads from attacker-controlled infrastructure.<\/p>\n The PowerShell command automatically retrieves a JavaScript file named \u201cgverify.js\u201d from domains such as hxxps:\/\/1111.fit\/version\/, which subsequently downloads the main EDDIESTEALER executable with a pseudorandomly generated 12-character filename.<\/p>\n This multi-layered approach effectively obscures the true nature of the attack while maintaining the appearance of legitimate system verification processes.<\/p>\n The malware\u2019s impact extends far beyond simple credential theft, targeting a comprehensive range of sensitive data including cryptocurrency wallets, browser stored credentials, password manager databases, FTP client configurations, and messaging applications.<\/p>\n EDDIESTEALER demonstrates particular sophistication in its approach to modern browser security, implementing techniques similar to ChromeKatz to bypass Application-bound encryption protections introduced in recent Chrome versions.<\/p>\n The malware\u2019s ability to adapt to evolving security measures highlights the persistent threat posed by well-resourced cybercriminal organizations.<\/p>\n EDDIESTEALER employs multiple layers of obfuscation and evasion techniques that distinguish it from conventional infostealers.<\/p>\n The malware utilizes extensive string encryption through XOR ciphers, with each decryption routine employing distinct key derivation functions that accept binary addresses and 4-byte constants to calculate XOR key locations.<\/p>\n This approach significantly complicates static analysis efforts, as researchers must reverse-engineer multiple custom decryption algorithms to extract meaningful artifacts.<\/p>\n The malware implements sophisticated API obfuscation<\/a> through a custom Windows API lookup mechanism. Rather than relying on standard import tables, EDDIESTEALER dynamically resolves function addresses by maintaining a local hashtable of previously resolved API calls.<\/p>\n When a new function is required, the malware employs custom LoadLibrary and GetProcAddress implementations to retrieve addresses, subsequently caching them for future use.<\/p>\n This technique effectively evades signature-based detection systems that rely on import table analysis.<\/p>\n EDDIESTEALER incorporates multiple anti-analysis features, including memory-based sandbox detection that evaluates total physical memory to determine if the system meets minimum requirements of approximately 4.0 GB.<\/p>\n Additionally, newer variants suggest server-side profiling capabilities, where the command and control infrastructure can assess client environments and withhold malicious payloads when sandbox or analysis systems are detected.<\/p>\n The malware also implements self-deletion capabilities using NTFS Alternate Data Streams renaming techniques, similar to those observed in LATRODECTUS campaigns<\/a>, enabling the executable to remove itself from disk while bypassing file lock restrictions.<\/p>\n Celebrate 9 years of ANY.RUN!\u00a0Unlock the full power of<\/strong>\u00a0TI Lookup plan (100\/300\/600\/1,000+ search requests),\u00a0and\u00a0your request quota will double<\/a>.<\/strong><\/p>\n The post New Rust-based InfoStealer via Fake CAPTCHA Delivers EDDIESTEALER<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZmJc_KqkBP-4fCU_-F2kyKxoAinkwFZA95kE-2rYWo1ravDjj5AwmOoaAJYaGVaNcLzw88gYepGna1UrcEUOQ0RqJE1qQly56x1-ektG5wbXNqBhCBCEMFl1fp_awahN0G2-F7sGP9oNMKOphkQgbaTtooiWtFtV63h7aC8BIMwVKSvzdU-5c4NeDiPg\/s16000\/Fake%2520CAPTCHA%2520GUI%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgkV29N3iqSnJsSgz4oP23kvK5XzXP8Gls8C4Gf-EyFfYXk9Qr2Cloeuc7aIaBEQhUeWihnjqIxlxU3hOqLkr5F2LkTLssBu9cEsN08w1IcMz7RXGKuUHJ06QWzQrWOZ-cjn97LJFoc0xaxuAYm5FzRyL_n1WB7NwCXPiNrXScyi5whEb9CP53x7ASwI3Q\/s16000\/EDDIESTEALER%25E2%2580%2599s%2520execution%2520chain%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
Advanced Evasion and Persistence Mechanisms<\/strong><\/h2>\n