Threat Research

EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig

Sysdig
EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig

Sysdig TRT discovered EtherRAT, a sophisticated persistent implant deployed via the React2Shell vulnerability CVE-2025-55182 that uses Ethereum smart contracts for C2 resolution, downloads a legitimate Node.js runtime from nodejs.org, and installs five independent Linux persistence mechanisms. The sample shows overlap with DPRK-linked Contagious Interview tooling while introducing novel techniques like RPC-endpoint consensus for blockchain C2 and a self-rewriting update mechanism. #EtherRAT #CVE-2025-55182

Keypoints

  • EtherRAT is a multi-stage implant (dropper → Node.js runtime download → AES-encrypted payload → persistent JavaScript implant) delivered via CVE-2025-55182 (React2Shell) exploitation.
  • Rather than bundling a runtime, the dropper downloads Node.js v20.10.0 from nodejs.org to avoid embedding suspicious binaries.
  • Command-and-control uses an on-chain Ethereum smart contract plus consensus across nine public RPC endpoints to resolve the active C2 URL, queried every five minutes.
  • Once active, the implant polls the resolved C2 every 500 ms with randomized CDN-like GET requests and executes returned JavaScript via the AsyncFunction constructor, providing full Node.js primitives to operators.
  • EtherRAT establishes persistence through five independent Linux mechanisms: systemd user service, XDG autostart desktop entry, cron @reboot, .bashrc injection, and .profile injection.
  • The implant includes a one-time self-update/re-obfuscation mechanism that POSTs its source to /api/reobf/, overwrites itself with the response, and respawns, complicating signature-based detection.
  • Analysis shows tooling overlap with DPRK-associated Contagious Interview/BeaverTail patterns but with significant differences (React2Shell delivery, blockchain C2, more aggressive persistence), leaving attribution uncertain.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used to gain initial unauthenticated RCE via the React Server Components vulnerability CVE-2025-55182 (‘an unsafe deserialization vulnerability in RSCs that allows unauthenticated remote code execution via a single HTTP request.’)
  • [T1059.004 ] Unix Shell – Shell commands used to decode and execute a base64 dropper and run a persistent download loop (‘sh -c echo |base64 -d|bash’ and the subsequent while loop downloading s.sh)
  • [T1105 ] Ingress Tool Transfer – Downloading runtime and payloads from external sources (staging server and nodejs.org) to the victim (‘# Download Node.js runtime from official source’ and curl/wget to nodejs.org)
  • [T1059.007 ] JavaScript – Executing operator-provided JavaScript via the AsyncFunction constructor to run arbitrary Node.js code (‘const a0 = Object.getPrototypeOf(async function () {}).constructor;’ and ‘treats it as JavaScript code and executes it immediately’)
  • [T1071.004 ] Application Layer Protocol: Web Services – C2 resolution and communication via public Ethereum RPC endpoints and HTTP(S) requests to the resolved C2 (‘EtherRAT queries all nine endpoints in parallel’ and uses HTTP GET/POST to C2 URLs)
  • [T1027 ] Obfuscated Files or Information – Use of encrypted blobs, hardcoded AES-256-CBC keys/IV, base64-encoded payloads, and obfuscated JS dropper (‘AES-256-CBC decryption’ and base64_encrypted_blob / base64_obfuscated_js)
  • [T1547 ] Boot or Logon Autostart Execution – Multiple persistence mechanisms to achieve execution on boot/login including systemd user services, XDG autostart, cron @reboot, and shell profile modifications (‘Systemd user service’, ‘XDG autostart entry’, ‘Cron job’, ‘Bashrc/profile modifications’)
  • [T1560 ] Archive Collected Data / T1106 ] Native API? (represented as self-modifying/update behavior) – Self-update/re-obfuscation mechanism where the implant posts its source to /api/reobf/ and replaces itself with the response (‘s + “/api/reobf/”‘ and ‘n.writeFileSync(N, R, “utf8”); n.spawn fresh process’)

Indicators of Compromise

  • [IP Address/Server ] Staging server and payload hosting – 193.24.123.68:3001, http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
  • [Domain/Download URL ] Legitimate runtime download observed – https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz (also .tar.xz fallback)
  • [Ethereum Contract / On-chain artifacts ] Blockchain C2 resolution – Contract 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4, function selector 0x7d434425, lookup parameter 0xE941A9b283006F5163EE6B01c1f23AA5951c4C8D
  • [RPC Endpoints ] Public Ethereum RPCs queried for consensus – e.g., https://eth.llamarpc.com, https://mainnet.gateway.tenderly.co, and 7 more endpoints
  • [File names / filesystem artifacts ] Example staged and runtime files (naming randomized per deployment) – gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, .1d5j6rm2mg2d (encrypted blob), .kxnzl4mtez.js (obfuscated dropper), and randomized hidden .js and bin/node under $HOME/.local/share/
  • [Persistence artifacts ] Examples of persistence entries – random-hex.service (systemd user service), random.desktop (XDG autostart), cron @reboot line referencing hidden JS, .bashrc/.profile entries with nohup launching hidden JS
  • [HTTP Request/Behavioral ] C2 polling and request patterns – randomized CDN-like GET paths such as /api/a8f3b2c1/{bot_id}/{random}.{ext}?token={build_id} and requests containing X-Bot-Server header

Read more: https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint