EDDIESTEALER Malware Circumvents Chrome’s App-Bound Encryption, Compromising Browser Data Security

A new malware campaign is distributing an advanced Rust-based information stealer, EDDIESTEALER, utilizing the widely recognized ClickFix social engineering strategy, initiated through deceptive CAPTCHA verification pages.

This campaign effectively employs fraudulent CAPTCHA verification pages that manipulate users into executing a harmful PowerShell script. This script subsequently deploys the information stealer, which collects sensitive information including credentials, browser data, and cryptocurrency wallet details.

The attack begins when threat actors compromise legitimate websites, injecting malicious JavaScript payloads that present fake CAPTCHA verification prompts. This tactic, known as ClickFix, urges potential victims to “prove you are not a robot” by adhering to a three-step process.

Victims are directed to open the Windows Run dialog prompt, paste a pre-copied command into the “verification window,” and press enter. As a result, an obfuscated PowerShell command is executed, retrieving a secondary payload from an external server.

The JavaScript file, identified as gverify.js, is saved to the victim’s Downloads folder and executed using cscript within a concealed window. The primary function of this intermediate script is to download the EDDIESTEALER binary from the same remote server, assigning it a pseudorandom 12-character file name.

EDDIESTEALER is a commodity stealer malware designed to compile system metadata, receive commands from a command-and-control (C2) server, and extract significant data from the infected system. The exfiltration targets are configurable and include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging applications.

The malware reads the designated files using standard kernel functions such as CreateFileW, GetFileSizeEx, ReadFile, and CloseHandle.

Collected host information is encrypted and forwarded to the C2 server in independent HTTP POST requests upon completing each task.

The malware incorporates string encryption, utilizes a custom WinAPI lookup for API calls, and sets up a mutex to guarantee that only a single iteration runs concurrently. Additionally, it implements checks to ascertain if it is in a sandboxed environment, executing self-deletion if so.

EDDIESTEALER employs a self-deletion technique utilizing NTFS Alternate Data Streams renaming, allowing evasion of file locks.

A notable aspect of EDDIESTEALER is its ability to bypass Chromium’s app-bound encryption to access unencrypted sensitive data, including cookies. This is achieved via a Rust adaptation of an open-source tool that extracts cookies and credentials directly from the memory of Chromium-based browsers.

In instances where the targeted Chromium browser is inactive, the malware attempts to spawn a new browser instance positioned off-screen to remain unnoticed by the user. The strategy is aimed at enabling the extraction of credentials from the network service child process of Chrome.

Recent observations indicate that updated iterations of the malware have been enhanced to harvest additional system metadata, including running processes, GPU details, CPU core counts, CPU names, and vendor information. These enhancements have modified the C2 communication approach, allowing for the preemptive transmission of host information before task configuration is received.

The encryption key utilized in client-to-server communications is hard-coded within the binary rather than dynamically retrieved from the server. Furthermore, the malware has been detected initiating a new Chrome process with remote debugging parameters, facilitating DevTools interaction without user engagement.

The adoption of Rust in the development of malware signifies a trend among threat actors aiming for enhanced stealth, stability, and resilience against conventional analysis techniques and threat detection systems.

The emergence of new stealer malware families, such as Katz Stealer and AppleProcessHub Stealer, reflects a broader trend of threats targeting various platforms, employing diverse techniques including browser-based redirections and drive-by downloads.

Katz Stealer shares the capability to circumvent Chrome’s app-bound encryption but employs different methodologies to extract and decrypt stored credentials.

AppleProcessHub Stealer targets user files such as bash history and iCloud Keychain information, executing scripts to exfiltrate sensitive data back to the C2 server.

Attack strategies involving this malware utilize obfuscated JavaScript that ultimately leads to the deployment of secondary malicious scripts designed to extract sensitive information, highlighting the evolving sophistication of threats in the cybersecurity landscape.