EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2
Contents
Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
On December 8, the Sysdig Threat Research Team (TRT) reported that a possible North Korean-linked actor had deployed EtherRAT, a novel Ethereum-based implant, in React2Shell attacks. The malware goes beyond other React2Shell cryptomining attacks, blending command and control (C2) traffic into blockchain activity and aggressively harvesting credentials. Furthermore, the EtherRAT payloads never touch the disk, since they are run by Node.js. This is another example of fileless malware, which is becoming more common.
This blog marks the first time the React2Shell exploit has been publicly documented in active malware.
Following its initial EtherRAT report, the Sysdig TRT retrieved live payloads from the attacker's C2 infrastructure. This new blog examines the details of five modules found in the C2, revealing the full post-compromise capabilities of EtherRAT:
- system reconnaissance
- credential …
On December 8, the Sysdig Threat Research Team (TRT) reported that a possible North Korean-linked actor had deployed EtherRAT, a novel Ethereum-based implant, in React2Shell attacks. The malware goes beyond other React2Shell cryptomining attacks, blending command and control (C2) traffic into blockchain activity and aggressively harvesting credentials. Furthermore, the EtherRAT payloads never touch the disk, since they are run by Node.js. This is another example of fileless malware, which is becoming more common.
This blog marks the first time the React2Shell exploit has been publicly documented in active malware.
Following its initial EtherRAT report, the Sysdig TRT retrieved live payloads from the attacker's C2 infrastructure. This new blog examines the details of five modules found in the C2, revealing the full post-compromise capabilities of EtherRAT:
- system reconnaissance
- credential …
IoC
http://91.215.85.42:3000/crypto/keys
http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
http://91.215.85.42:3000
https://webhook.site/63575795-ee27-4b29-a15d-e977e7dc8361
http://91.215.85.42:3000/{hwid
https://grabify.link/SEFKGU
193.24.123.68
173.249.8.102
192.168.1.50
91.215.85.42
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140
http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
http://91.215.85.42:3000
https://webhook.site/63575795-ee27-4b29-a15d-e977e7dc8361
http://91.215.85.42:3000/{hwid
https://grabify.link/SEFKGU
193.24.123.68
173.249.8.102
192.168.1.50
91.215.85.42
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140