Spoofed IT Tools Distribute EtherRAT in Highly Stealthy Campaign Suspected Linked to DPRK APT
Contents
Recently, the PhatomCandle ThreatIntel Team tracked a cluster of attack campaigns distributing EtherRAT [1]via malicious MSI installers disguised as common IT administration tools. Notably, this activity exhibits overlapping Tactics, Techniques, and Procedures (TTPs) with an Advanced Persistent Threat (APT) group suspected to be associated with the DPRK [2]. Previously, eSentire’s Threat Response Unit (TRU) identified a highly evasive attack campaign where threat actors leveraged ClickFix lures to ultimately deploy EtherRAT .
Press enter or click to view image in full size
The core technological innovation of EtherRAT lies in its use of a technique dubbed EtherHiding. This method conceals Command and Control (C2) servers within the Ethereum blockchain and utilizes CDN-mimicking network requests for target selection and beaconing communication, demonstrating exceptional stealth and persistence.
1. Initial Access: Weaponized IT Tools
The attack chain begins with social engineering targeting system administrators and IT support personnel. Threat actors craft malicious Windows Installer (MSI) packages disguised as …
Press enter or click to view image in full size
The core technological innovation of EtherRAT lies in its use of a technique dubbed EtherHiding. This method conceals Command and Control (C2) servers within the Ethereum blockchain and utilizes CDN-mimicking network requests for target selection and beaconing communication, demonstrating exceptional stealth and persistence.
1. Initial Access: Weaponized IT Tools
The attack chain begins with social engineering targeting system administrators and IT support personnel. Threat actors craft malicious Windows Installer (MSI) packages disguised as …