π―Basically, a new malware hides its control system in Ethereum contracts to steal information.
What Happened
A recent malware campaign known as EtherRAT has emerged, utilizing Ethereum smart contracts to conceal its command-and-control (C2) infrastructure. This discovery was made during an incident response investigation in the retail sector, as reported by eSentire. The attackers gained initial access through methods such as ClickFix attacks and IT support scams, ultimately deploying a Node.js-based backdoor. This malware allows them to execute commands remotely, collect extensive system data, and steal sensitive information like cryptocurrency wallets and cloud credentials.
The most notable tactic used by the EtherRAT malware is called EtherHiding. This technique enables attackers to store C2 addresses within Ethereum smart contracts, allowing for easy updates and evasion of traditional takedown efforts. By rotating their infrastructure cheaply, attackers can maintain control over infected systems with minimal risk.
Who's Being Targeted
The EtherRAT campaign primarily targets organizations within the retail sector, but the potential for broader impact exists. Attackers employ various methods to gain initial access, including ClickFix attacks and IT support scams conducted over platforms like Microsoft Teams. Once inside, they use indirect command execution to launch malicious scripts, bypassing security measures and establishing a foothold within the network. The malware's infection chain is complex, involving multiple stages with encrypted payloads and obfuscated scripts. After deployment, EtherRAT retrieves its C2 addresses from Ethereum smart contracts via public RPC providers, allowing it to blend in with normal network traffic and evade detection.
Signs of Infection
Once installed, EtherRAT collects detailed system information to profile its targets. This includes: Additionally, the malware checks for specific system language settings, deleting itself if it detects certain languages associated with the Commonwealth of Independent States (CIS). This self-preservation tactic indicates a strategic approach by the attackers to avoid detection and maintain operational security.
Public IP address
CPU and GPU specifications
Operating system and
Antivirus software details
Domain and administrator status
How to Protect Yourself
Organizations are encouraged to take proactive measures against the EtherRAT malware and similar threats. Key recommendations include: By implementing these strategies, organizations can reduce their risk of falling victim to this innovative malware campaign and protect sensitive information from theft.
Detection
- 1.Disabling certain Windows utilities that could be exploited by attackers.
- 2.Training employees to recognize and report IT support scams.
Removal
π Pro insight: The use of Ethereum smart contracts for C2 infrastructure represents a significant evolution in malware tactics, complicating detection and response efforts.
