EtherRAT Malware Hides Using Ethereum Blockchain

EtherRAT Malware Hides Using Ethereum Blockchain

Posted on By CWS

An advanced form of malware called EtherRAT is targeting organizations across various sectors by embedding its command infrastructure within the Ethereum blockchain. This strategy complicates tracking and dismantling the malware, making it particularly elusive.

Malware’s Capabilities and Origin

Operating on Node.js, EtherRAT allows attackers to remotely control infected systems, facilitating activities such as executing commands, stealing cryptocurrency wallets, and obtaining cloud credentials with minimal detection. Sysdig has linked EtherRAT to a North Korean APT group, citing substantial similarities with a known pattern of attacks known as ‘Contagious Interview,’ where perpetrators pose as recruiters to distribute malware.

Utilizing EtherHiding Technique

EtherRAT employs a method known as EtherHiding to manage its command-and-control (C2) address, embedding it within an Ethereum smart contract. This storage method is resistant to external tampering, allowing attackers to change servers by simply updating the contract with a new address. This feature also lets threat actors redirect previously compromised systems to new C2 infrastructure, maintaining control with minimal costs.

Detection and Techniques Used

eSentire analysts identified EtherRAT in March 2026 after it was found in the environment of a retail industry client. Researchers noted significant code similarities between EtherRAT and the Tsundere botnet, both of which perform OS fingerprinting and self-destruct if the target machine uses a language from the CIS region.

The initial system access varies, but two primary methods have been observed. In one case, attackers used a method dubbed ClickFix, which leverages the Windows component pcalua.exe to execute malicious scripts. Another common tactic involves posing as IT support over Microsoft Teams and using QuickAssist to gain unauthorized access. Both approaches rely on deceiving individuals rather than exploiting software vulnerabilities, posing risks even to fully updated systems.

Defensive Measures and Recommendations

The same smart contract address associated with EtherRAT has been found in multiple cases across sectors like retail, finance, and software, indicating a coordinated attack effort. To combat this, security experts suggest disabling mshta.exe and pcalua.exe through AppLocker or WDAC, restricting the Run prompt via Group Policy, and enhancing employee awareness regarding IT support scams and ClickFix scenarios.

Blocking access to cryptocurrency RPC providers can prevent EtherHiding-based C2 communication. Implementing Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions is crucial for identifying and mitigating infections swiftly.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Open-Source Firewall IPFire 2.29 With New Reporting For Intrusion Prevention System Open-Source Firewall IPFire 2.29 With New Reporting For Intrusion Prevention System Cyber Security News
\Logicube’s Falcon®-NEO2 Forensic Imager Achieves Project VIC Validation; Now VICS Data Compliant \Logicube’s Falcon®-NEO2 Forensic Imager Achieves Project VIC Validation; Now VICS Data Compliant Cyber Security News
10 Best Secure Network As a Service for MSP Providers 10 Best Secure Network As a Service for MSP Providers Cyber Security News
Malware Found in Top OpenClaw Skill Exposes Major Security Flaws Malware Found in Top OpenClaw Skill Exposes Major Security Flaws Cyber Security News
Microsoft to Restrict Windows 11 Auto Installs Due to RCE Flaw Microsoft to Restrict Windows 11 Auto Installs Due to RCE Flaw Cyber Security News
Lazarus Hackers Weaponized 234 Packages Across npm and PyPI to Infect Developers Lazarus Hackers Weaponized 234 Packages Across npm and PyPI to Infect Developers Cyber Security News