New EtherRAT Malware Variant Targets Windows Users via Trojanized Installer

Severity: High (Score: 67.5)

Sources: Scworld, Cybersecuritynews

Summary

A sophisticated variant of the EtherRAT malware has been identified, delivered through a compromised version of the TFTP server tool, Tftpd64. Cybercriminals are targeting IT administrators and network professionals by embedding this malware in a trojanized installer from a spoofed GitHub repository. Once executed, the malware establishes a hidden directory and deploys a Node.js runtime to evade detection. It then conducts system reconnaissance and targets Ethereum RPC endpoints and wallet addresses for cryptocurrency theft. Organizations are advised to download software only from official sources and monitor suspicious registry entries. The attack combines traditional malware techniques with cryptocurrency theft, making it particularly dangerous. The scope of impact is significant, affecting users who may unknowingly download the malicious installer. Current status indicates ongoing risks as the malware remains undetected by many security tools. Key Points: • EtherRAT malware is delivered via a trojanized Tftpd64 installer from a spoofed GitHub repository. • The malware conducts system reconnaissance and targets Ethereum wallets for theft. • Organizations are urged to download software only from official sources to mitigate risks.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• EtherRAT (malware)
• T1033 - System Owner/User Discovery (mitre_attack)
• T1036 - Masquerading (mitre_attack)
• T1059.007 - JavaScript (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• T1547.001 - Registry Run Keys / Startup Folder (mitre_attack)
• Active Directory (platform)
• GitHub (platform)
• Windows (platform)
• Node.js (tool)
• Tftpd64 (tool)