EtherRAT - New Malware Bypasses Security Using Ethereum
Basically, a new malware hides its control system in Ethereum contracts to steal information.
A new malware called EtherRAT is using Ethereum smart contracts to hide its control system. This clever tactic allows it to steal sensitive information from organizations, especially in retail. Companies need to be proactive to defend against such advanced threats.
What Happened
A recent malware campaign known as EtherRAT has emerged, utilizing Ethereum smart contracts to conceal its command-and-control (C2) infrastructure. This discovery was made during an incident response investigation in the retail sector, as reported by eSentire. The attackers gained initial access through methods such as ClickFix attacks and IT support scams, ultimately deploying a Node.js-based backdoor. This malware allows them to execute commands remotely, collect extensive system data, and steal sensitive information like cryptocurrency wallets and cloud credentials.
The most notable tactic used by the EtherRAT malware is called EtherHiding. This technique enables attackers to store C2 addresses within Ethereum smart contracts, allowing for easy updates and evasion of traditional takedown efforts. By rotating their infrastructure cheaply, attackers can maintain control over infected systems with minimal risk.
Who's Being Targeted
The EtherRAT campaign primarily targets organizations within the retail sector, but the potential for broader impact exists. Attackers employ various methods to gain initial access, including ClickFix attacks and IT support scams conducted over platforms like Microsoft Teams. Once inside, they use indirect command execution to launch malicious scripts, bypassing security measures and establishing a foothold within the network.
The malware's infection chain is complex, involving multiple stages with encrypted payloads and obfuscated scripts. After deployment, EtherRAT retrieves its C2 addresses from Ethereum smart contracts via public RPC providers, allowing it to blend in with normal network traffic and evade detection.
Signs of Infection
Once installed, EtherRAT collects detailed system information to profile its targets. This includes:
- Public IP address
- CPU and GPU specifications
- Operating system and hardware identifiers
- Antivirus software details
- Domain and administrator status
Additionally, the malware checks for specific system language settings, deleting itself if it detects certain languages associated with the Commonwealth of Independent States (CIS). This self-preservation tactic indicates a strategic approach by the attackers to avoid detection and maintain operational security.
How to Protect Yourself
Organizations are encouraged to take proactive measures against the EtherRAT malware and similar threats. Key recommendations include:
- Disabling certain Windows utilities that could be exploited by attackers.
- Training employees to recognize and report IT support scams.
- Considering blocking access to cryptocurrency RPC providers often used by attackers.
By implementing these strategies, organizations can reduce their risk of falling victim to this innovative malware campaign and protect sensitive information from theft.