CP
cyberpings
Malware & RansomwareHIGH

EtherRAT - Hackers Hide Malware Infrastructure on Ethereum

Featured image for EtherRAT - Hackers Hide Malware Infrastructure on Ethereum
CSCyber Security News
EtherRATNorth Korean APTEtherHidingMalware-as-a-ServiceClickFix
🎯

Basically, hackers are using a sneaky tool to hide their malware inside the Ethereum blockchain.

Quick Summary

Hackers are leveraging EtherRAT to hide malware within the Ethereum blockchain. This sophisticated tool targets various sectors, making detection challenging. Organizations must act quickly to mitigate risks and protect their assets.

What Happened

A new sophisticated backdoor, known as EtherRAT, is actively targeting organizations across various sectors. This malware cleverly hides its command infrastructure within the Ethereum blockchain, making it exceptionally difficult to track and shut down. Running on Node.js, EtherRAT grants attackers full remote control over compromised machines. This allows them to execute commands, steal cryptocurrency, and siphon cloud credentials with minimal risk of detection.

The malware has been linked to a North Korean APT group, showcasing significant overlaps with a known campaign pattern called "Contagious Interview." In this pattern, threat actors impersonate recruiters and tech support staff to deliver malware, further complicating detection efforts.

Who's Being Targeted

EtherRAT has been identified in various sectors, including retail, finance, software, and business services. The same Ethereum smart contract address has appeared across multiple cases, indicating a well-organized, multi-industry campaign rather than isolated incidents. This widespread targeting raises concerns about the potential impact on numerous organizations, especially those in high-risk sectors.

The initial access methods used by attackers vary. In one observed incident, they utilized a technique called ClickFix, which executes commands indirectly through a Windows component. In other cases, attackers posed as IT support staff via Microsoft Teams to gain unauthorized access, showcasing their ability to deceive even well-trained personnel.

Tactics & Techniques

EtherRAT employs a unique technique known as EtherHiding to maintain persistent command-and-control (C2) communication. Upon launching, the malware queries several public Ethereum RPC providers, selecting the most consistent result as its active C2 address. This allows attackers to update their infrastructure seamlessly by modifying the smart contract on the blockchain, ensuring that infected machines can be redirected to new servers without redeploying the malware.

To avoid detection, EtherRAT disguises its outbound traffic as ordinary content delivery network (CDN) requests. The URLs generated appear like standard file requests, making it harder for security measures to flag them. Additionally, the malware sends its own source code back to the C2 server, which returns a scrambled version, keeping it ahead of signature-based defenses.

Defensive Measures

Organizations must take immediate action to protect themselves from EtherRAT. TRU recommends disabling mshta.exe and pcalua.exe through AppLocker or Windows Defender Application Control. Furthermore, restricting access to cryptocurrency RPC providers can prevent EtherHiding-based C2 communication from being established.

Employees should also receive training focused on IT support scams and ClickFix scenarios to enhance awareness. Implementing a Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solution is essential for quick detection and containment of infections. By staying vigilant and proactive, organizations can better defend against this evolving threat.

🔒 Pro insight: The use of Ethereum for C2 infrastructure represents a significant evolution in malware tactics, complicating traditional detection methods.

Original article from

CSCyber Security News· Tushar Subhra Dutta
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

WhatsApp-Delivered VBS Malware Hijacks Windows via UAC Bypass

Microsoft warns of a new malware campaign using WhatsApp to distribute malicious VBS files. Windows users are at risk as attackers gain remote access and escalate privileges. Stay vigilant and avoid executing unknown scripts.

The Hacker News·
HIGHMalware & Ransomware

Infostealer Storm - New Malware Hijacks Sessions Seamlessly

A new infostealer named Storm is making waves in the cybercrime world. It stealthily hijacks sessions and decrypts sensitive data server-side. This poses serious risks to users, especially in corporate environments. Understanding its operation is key to enhancing security measures.

Varonis Blog·
HIGHMalware & Ransomware

Russian Hackers Exploit CTRL Toolkit for RDP Hijacking

Russian hackers are leveraging a new malware toolkit called CTRL to hijack RDP sessions and steal credentials. This poses a serious risk to organizations using remote access. Stay informed and protect your systems against this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

CrystalX Malware - New MaaS Threat Spotted on Telegram

A new malware named CrystalX is being marketed on Telegram. This Malware-as-a-Service combines RAT and credential stealing features, posing significant risks to users worldwide. Organizations must act quickly to safeguard against this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

Venom Stealer - New MaaS Fuels ClickFix and Crypto Theft

A new malware-as-a-service, Venom Stealer, is facilitating ClickFix attacks that lead to cryptocurrency theft. Users of popular browsers are at risk. Organizations must implement strong security measures to defend against this evolving threat.

SC Media·
MEDIUMMalware & Ransomware

Malicious Script - Understanding Fileless Malware Persistence

A new malicious script reveals the rise of fileless malware. This stealthy malware minimizes its footprint while ensuring persistence through registry manipulation. Understanding this threat is crucial for effective cybersecurity.

SANS ISC·