EtherRAT Malware Uses Ethereum Blockchain for Resilient C2, Distributed via Open Directory Infrastructure
Malwarebytes uncovers a malicious infrastructure distributing EtherRAT, a Node.js RAT that retrieves its C2 server from the Ethereum blockchain, alongside phishing pages and other malware.
Malwarebytes researchers have uncovered a sophisticated malicious infrastructure distributing EtherRAT, a Node.js-based remote access trojan (RAT) that leverages the Ethereum blockchain to retrieve its command-and-control (C2) server. The discovery began with an open directory hosting MSI installers and PowerShell scripts, which ultimately led to a broader network of websites distributing phishing pages, remote desktop tools, and other malware alongside EtherRAT.
EtherRAT is a lightweight RAT written in Node.js that grants attackers complete control over infected machines. It executes arbitrary JavaScript code received from the C2 server, allowing threat actors to run commands, manipulate files and folders, modify the registry, and exfiltrate data. The malware's use of the Ethereum blockchain for C2 retrieval makes it particularly resilient to infrastructure takedowns, as the C2 address is stored on-chain rather than on a traditional server.
The infection chain typically begins with an MSI installer or PowerShell script distributed from an open directory. The MSI file, named with version numbers ranging from v1 to v10, contains a BAT launcher, a JScript loader, and an encrypted EtherRAT payload. The BAT script checks for Node.js on the system, downloading it from the official website if missing, then decrypts and executes the RAT using a custom XOR-based algorithm.
Once deployed, EtherRAT uses Ethereum's eth_call JSON-RPC method to query a smart contract on the Ethereum mainnet. The contract address and function selector are hardcoded in the malware, and the returned data provides the active C2 URL. Polling requests to the C2 use randomized URL patterns with parameters like build ID and victim UUID, making detection more difficult for automated scanners.
Malwarebytes identified a broader infrastructure associated with the EtherRAT distribution, including multiple websites with hacking-themed homepages that also host phishing pages and other malicious software. These websites often have folders containing various malware and phishing content, with the displayed content depending on the specific infection chain. The use of these pages may be a method to evade detection by automated scanners or researchers.
The discovery highlights the growing trend of malware authors using blockchain technology for C2 resilience. By storing C2 addresses on a public blockchain, threat actors can make it significantly harder for law enforcement and security researchers to disrupt their operations. The EtherRAT campaign also demonstrates the importance of monitoring open directories and malicious infrastructure for early detection of emerging threats.
Organizations should ensure that endpoint detection and response (EDR) solutions are configured to detect Node.js-based malware and unusual PowerShell or MSI execution. Network monitoring for connections to Ethereum RPC endpoints and suspicious API calls can also help identify infections. As blockchain-based C2 techniques become more common, security teams must adapt their detection strategies accordingly.