CP
cyberpings
Malware & RansomwareHIGH

EtherRAT - New Malware Bypasses Security Using Ethereum

IMInfosecurity Magazine
EtherRATEthereummalwareC2 infrastructureNode.js
🎯

Basically, a new malware hides its control system in Ethereum contracts to steal information.

Quick Summary

A new malware called EtherRAT is using Ethereum smart contracts to hide its control system. This clever tactic allows it to steal sensitive information from organizations, especially in retail. Companies need to be proactive to defend against such advanced threats.

What Happened

A recent malware campaign known as EtherRAT has emerged, utilizing Ethereum smart contracts to conceal its command-and-control (C2) infrastructure. This discovery was made during an incident response investigation in the retail sector, as reported by eSentire. The attackers gained initial access through methods such as ClickFix attacks and IT support scams, ultimately deploying a Node.js-based backdoor. This malware allows them to execute commands remotely, collect extensive system data, and steal sensitive information like cryptocurrency wallets and cloud credentials.

The most notable tactic used by the EtherRAT malware is called EtherHiding. This technique enables attackers to store C2 addresses within Ethereum smart contracts, allowing for easy updates and evasion of traditional takedown efforts. By rotating their infrastructure cheaply, attackers can maintain control over infected systems with minimal risk.

Who's Being Targeted

The EtherRAT campaign primarily targets organizations within the retail sector, but the potential for broader impact exists. Attackers employ various methods to gain initial access, including ClickFix attacks and IT support scams conducted over platforms like Microsoft Teams. Once inside, they use indirect command execution to launch malicious scripts, bypassing security measures and establishing a foothold within the network.

The malware's infection chain is complex, involving multiple stages with encrypted payloads and obfuscated scripts. After deployment, EtherRAT retrieves its C2 addresses from Ethereum smart contracts via public RPC providers, allowing it to blend in with normal network traffic and evade detection.

Signs of Infection

Once installed, EtherRAT collects detailed system information to profile its targets. This includes:

  • Public IP address
  • CPU and GPU specifications
  • Operating system and hardware identifiers
  • Antivirus software details
  • Domain and administrator status

Additionally, the malware checks for specific system language settings, deleting itself if it detects certain languages associated with the Commonwealth of Independent States (CIS). This self-preservation tactic indicates a strategic approach by the attackers to avoid detection and maintain operational security.

How to Protect Yourself

Organizations are encouraged to take proactive measures against the EtherRAT malware and similar threats. Key recommendations include:

  • Disabling certain Windows utilities that could be exploited by attackers.
  • Training employees to recognize and report IT support scams.
  • Considering blocking access to cryptocurrency RPC providers often used by attackers.

By implementing these strategies, organizations can reduce their risk of falling victim to this innovative malware campaign and protect sensitive information from theft.

🔒 Pro insight: The use of Ethereum smart contracts for C2 infrastructure represents a significant evolution in malware tactics, complicating detection and response efforts.

Original article from

Infosecurity Magazine

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

GhostClaw - New AI Malware Targets macOS for Credential Theft

GhostClaw malware is targeting macOS users through fake GitHub repositories, stealing credentials via social engineering. Developers must verify source integrity to stay safe.

Cyber Security News·
HIGHMalware & Ransomware

Malware Discovered in LiteLLM - Major Security Breach Alert

LiteLLM, a popular AI tool, was infected by malware that stole user credentials. Millions of users are at risk, raising serious security concerns. The developers are actively investigating the breach and working on solutions.

TechCrunch Security·
HIGHMalware & Ransomware

Malware - US Imprisons Russian Botnet Operator for Ransomware

Ilya Angelov, a Russian botnet operator, has been sentenced for his role in ransomware attacks against US companies. This case underscores the ongoing threat of cybercrime. With millions lost to extortion, vigilance is essential for organizations to protect themselves.

SC Media·
HIGHMalware & Ransomware

Malware Attack - Puerto Rico's Driver's License Agency Disrupted

A ransomware attack has disrupted Puerto Rico’s driver's license agency. All services are halted, affecting many residents. Officials are working to ensure data integrity before resuming operations.

SC Media·
HIGHMalware & Ransomware

Malware - Armenian Extradited for RedLine Infostealer Role

An Armenian man has been extradited to the U.S. for his role in the RedLine infostealer scheme. This malware has targeted major corporations, raising significant security concerns. The case underscores the ongoing battle against cybercrime and the need for robust cybersecurity measures.

SC Media·
HIGHMalware & Ransomware

Malware - Pro-Ukraine Group Bearlyfy Escalates Attacks

Bearlyfy, a pro-Ukrainian hacker group, has targeted over 70 Russian firms with custom ransomware. This escalation poses serious risks to businesses in the region. Companies must enhance their cybersecurity measures to combat these evolving threats.

The Record·