Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software 

MITRE Techniques

• [T1105] Ingress Tool Transfer – The malware downloaded Node.js from the official website when it was not present (‘Downloads Node.js if it’s not found’ / ‘Uses curl -sLo to download Node.js from the official website’).
• [T1027] Obfuscated Files or Information – The BAT, JScript, and EtherRAT payloads were heavily obfuscated and decrypted before execution (‘The executed “cDQMlQAru0.xml” is a loader that decrypts the embedded code’ / ‘newly obfuscated version of the script’).
• [T1059.007] Command and Scripting Interpreter: JavaScript – EtherRAT executed attacker-controlled JavaScript received from the C2 server (‘Execute arbitrary JavaScript code received by the C2 server’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The MSI chain invoked cmd.exe and BAT scripts to run the infection stages (‘conhost –headless cmd /c “KmPuGimn.cmd”‘).
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was used both as a delivery method and for host checks (‘PowerShell scripts’ / ‘powershell -NoProfile -NonInteractive -WindowStyle Hidden’).
• [T1106] Native API – The malware used Windows native process execution via conhost.exe in headless mode to run commands and scripts (‘conhost.exe –headless’).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence was added through a registry key (‘Adds a registry key for persistence with “conhost.exe –headless”’).
• [T1082] System Information Discovery – The post-compromise activity queried GPU, domain, and machine information (‘Get-WmiObject Win32_VideoController’, ‘Win32_ComputerSystem’, ‘MachineGuid’).
• [T1016] System Network Configuration Discovery – The malware checked whether the host was in a domain and queried network-related context (‘(Get-WmiObject Win32_ComputerSystem).Domain’ / ‘PartOfDomain’).
• [T1041] Exfiltration Over C2 Channel – The RAT sent its source code to the C2 server and received a re-obfuscated script back (‘sends its own source code to the C2 server’ / ‘Body: { “code”: “” }’).
• [T1140] Deobfuscate/Decode Files or Information – Multiple custom decoders were used to decrypt payloads and embedded code (‘decrypts the embedded code with a XOR function’ / ‘custom stream-like decoding routing’).
• [T1608.001] Stage Capabilities: Download New Code at Runtime – The C2 returned a newly obfuscated version of the script that was written back to disk (‘The C2 responds with a newly obfuscated version of the script’).