THE article from Malwarebytes provides an in-depth analysis of EtherRAT, a remote access Trojan (RAT) developed in Node.js. It is distributed through various methods, including MSI installers and PowerShell scripts, often found in open directories. The malware leverages the Ethereum blockchain to gain resilience against takedowns by obtaining command and control (C2) servers. The infrastructure associated with EtherRAT is linked to a broader network that also distributes phishing pages and other types of malware.
Key points include the discovery of phishing campaigns initiated via email attachments, and misconfigurations leading to the exposure of phishing kits and related malware. Some of the identified IPs and domains associated with the EtherRAT distribution network are also listed as indicators of compromise (IOCs).