Sysdig says that EtherRAT is connected to a North Korean APT group because it has a lot in common with "Contagious Interview." The malware uses EtherHiding, which is a method that saves its command-and-control (C2) address right inside an Ethereum smart contract on the blockchain. In many eSentire customer cases from different industries, such as retail, finance, software development, and business services, the same smart contract address was used.

This shows that there is a well-planned campaign across many industries that is always growing and isn't just a one-time thing. The malware runs in headless mode through conhost.exe, which keeps it hidden. EtherRAT hides its outgoing traffic as normal CDN requests to avoid alerts at the network level. The beacon URLs it makes look like regular requests for static files, with random hexadecimal paths, UUIDs, and file extensions like .ico.

To protect against similar threats, employees should get training on IT support scams and ClickFix situations. Blocking businesses from using cryptocurrency RPC providers can stop EtherHiding-based C2 communication from happening. It's very important to use a Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) to quickly find and stop threats.

Do the following: 1. Link up with LinkedIn and X to get the latest news. 2. Make ZeroOwl your preferred source on Google so you get notifications right away.

  1. Use the Daily Discussion to talk about the news stories that are in the news today and to share your own thoughts on stories you saw on CNN.com and CNN iReport. The Daily Discussion is a joint effort between CNN and X, and anyone can join.

Visit http://www.cnn.com/2013/01/29/technology/top-10-top-ten-scams-scam-and-threats for more.