EDDIESTEALER Malware

EDDIESTEALER is a newly identified, Rust-based information stealer that poses a significant threat to Windows users. Disguised as legitimate software, it infiltrates systems through deceptive CAPTCHA prompts and malicious downloads. Once embedded, it exfiltrates sensitive data, including credentials, browser information, and cryptocurrency wallet details, while maintaining a stealthy presence to avoid detection.

Threat Overview

EDDIESTEALER operates as a Trojan Horse, employing advanced techniques to compromise systems and harvest data. Its use of the Rust programming language enhances its stealth and complicates analysis, making it a formidable adversary in the cybersecurity landscape.

EDDIESTEALER Threat Summary

Attribute	Details
Threat Type	Trojan Horse / InfoStealer
Detection Names	Microsoft: Trojan:Win64/EddieStealer.CE!MTB; Kaspersky: Backdoor.Win32.PMax.awlq; DrWeb: Trojan.Siggen31.31200; Avast: Win64:MalwareX-gen [Misc]
Symptoms	System slowdowns, high CPU usage, unexpected freezes, unauthorized data access, and potential identity theft
Damage	Theft of personal data, financial loss, unauthorized access to accounts, and potential inclusion in botnets
Distribution Methods	Fake CAPTCHA prompts (ClickFix technique), malicious email attachments, bundled with pirated software, and drive-by downloads
Danger Level	High
Removal Tool	SpyHunter

In-Depth Analysis of EDDIESTEALER

Infection Vector: The ClickFix Technique

EDDIESTEALER leverages a deceptive method known as the ClickFix technique. Users encounter fake CAPTCHA prompts on compromised websites, instructing them to paste and execute a PowerShell command from their clipboard. This action initiates the download of a secondary payload, gverify.js, which subsequently fetches the main EDDIESTEALER executable from attacker-controlled servers.

Operational Mechanics

Once executed, EDDIESTEALER establishes communication with a command-and-control (C2) server, receiving encrypted instructions detailing specific data to target. Its capabilities include:

• Data Exfiltration: Harvesting credentials, browser data, cryptocurrency wallet information, and details from password managers and messaging applications.
• Stealth Techniques: Employing string obfuscation, custom API resolution, and mutex creation to avoid detection and ensure a single instance runs at a time.
• Sandbox Evasion: Detecting virtual environments and self-deleting if certain conditions are met, such as insufficient system memory.
• Persistence: Utilizing NTFS Alternate Data Streams to rename and hide its presence, complicating removal efforts.

Exploitation of Browser Vulnerabilities

EDDIESTEALER incorporates a Rust implementation of ChromeKatz to bypass Chromium’s app-bound encryption, allowing it to access unencrypted sensitive data like cookies and credentials. It can also launch hidden browser instances to extract information without user awareness.

Manual Removal of Info-Stealers (For advanced users)

Step 1: Enter Safe Mode with Networking

Since info-stealers may resist removal while active, booting into Safe Mode helps disable their execution.

1. Windows 10/11:
   • Press Win + R, type msconfig, and hit Enter.
   • Go to the Boot tab and check Safe boot → Network.
   • Click Apply → OK and restart your PC.
2. Windows 7/8:
   • Restart your PC and keep pressing F8 before Windows loads.
   • Select Safe Mode with Networking and press Enter.

---

Step 2: End Malicious Processes in Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., randomized names, high CPU usage, or unknown apps).
3. Right-click on them and select End Task.

Common info-stealer process names include StealC.exe, RedLine.exe, Vidar.exe, or generic system-like names.

---

Step 3: Uninstall Suspicious Programs

1. Press Win + R, type appwiz.cpl, and hit Enter.
2. Look for unknown or recently installed suspicious software.
3. Right-click the suspect entry and select Uninstall.

---

Step 4: Delete Malicious Files and Registry Entries

Info-stealers leave behind hidden files and registry keys to ensure persistence.

1. Open File Explorer and navigate to:
   • C:\Users\YourUser\AppData\Local
   • C:\Users\YourUser\AppData\Roaming
   • C:\ProgramData
   • C:\Windows\Temp
   Delete any unfamiliar folders with random names.
2. Open Registry Editor:
   • Press Win + R, type regedit, and press Enter.
   • Navigate to:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • Look for randomized or suspicious registry keys (e.g., StealerLoader, Malware123).
   • Right-click and delete any malicious entries.

---

Step 5: Clear Browser Data and Reset DNS

Since info-stealers target browsers, you need to clear stored credentials.

Clear Browsing Data

1. Open Chrome, Edge, or Firefox.
2. Go to Settings → Privacy and Security → Clear Browsing Data.
3. Select Passwords, Cookies, and Cached files and click Clear Data.

Reset DNS

1. Open Command Prompt as Administrator.
2. Type the following commands, pressing Enter after each:bashCopyEditipconfig /flushdns ipconfig /release ipconfig /renew
3. Restart your computer.

---

Step 6: Scan for Rootkits

Even after manual removal, some info-stealers may hide as rootkits.

1. Download Malwarebytes Anti-Rootkit or Microsoft Safety Scanner.
2. Run a deep scan and remove any detected threats.

---

Step 7: Change All Passwords & Enable MFA

Since info-stealers extract credentials, immediately update passwords for:

• Email accounts
• Banking and finance sites
• Social media
• Cryptocurrency wallets
• Business and work logins

Enable two-factor authentication (2FA) to prevent unauthorized access.

---

Method 2: Automatic Removal Using SpyHunter (Recommended)

(For users who want a fast, hassle-free solution)

SpyHunter is a professional anti-malware tool capable of detecting and removing info-stealers, trojans, keyloggers, and spyware.

Step 1: Download SpyHunter

Click here to download SpyHunter

Step 2: Install and Launch SpyHunter

1. Locate the SpyHunter-Installer.exe file in your Downloads folder.
2. Double-click to start the installation.
3. Follow the on-screen instructions and launch SpyHunter after installation.

Step 3: Perform a Full System Scan

1. Click “Start Scan” to analyze your system.
2. SpyHunter will detect any info-stealers, trojans, or keyloggers.
3. Click “Remove” to delete all detected threats.

Step 4: Enable Real-Time Protection

• Go to Settings and enable Real-Time Malware Protection to prevent future infections.

---

Prevention Tips: How to Stay Safe from Info-Stealers

• Avoid Cracked Software & Torrents – They are a major infection source.
• Use Strong, Unique Passwords – Utilize a password manager.
• Enable Two-Factor Authentication (2FA) – Reduces the risk of stolen credentials being misused.
• Keep Software & OS Updated – Patches fix security vulnerabilities.
• Be Wary of Phishing Emails – Do not open attachments from unknown senders.
• Use an Antivirus or Anti-Malware Tool – A good tool like SpyHunter helps detect and remove threats.

Conclusion

EDDIESTEALER represents a significant advancement in malware development, combining sophisticated social engineering with technical prowess to infiltrate systems and exfiltrate sensitive data. Its use of the Rust programming language and advanced evasion techniques make it a challenging threat to detect and remove. Users must exercise caution when encountering CAPTCHA prompts and ensure their systems are protected with up-to-date security solutions.