The EtherRAT trojan is being distributed through fraudulent GitHub repositories that convincingly mimic legitimate system administration tools to trick IT professionals into downloading the malware.
Malware Delivery via Spoofed Repositories
Attackers behind the EtherRAT malware are distributing the remote access trojan by creating fake GitHub repositories that impersonate legitimate administrative tools. These repositories include cloned documentation, realistic commit histories, and properly formatted release pages to appear authentic. Unsuspecting users who search for popular system utilities are lured into downloading a malicious archive that contains the EtherRAT payload alongside a legitimate binary.
Capabilities and Target Profile
Once executed, EtherRAT establishes persistent backdoor access to the infected system. It can harvest credentials, capture keystrokes, exfiltrate files, and execute arbitrary commands. The malware targets IT professionals and system administrators who frequently download open source management tools. The campaign primarily affects Windows environments, though some variants may target Linux systems. No specific CVEs have been assigned to EtherRAT itself, as it relies on social engineering rather than exploiting software vulnerabilities.
Recommended Mitigations
Organizations should verify the authenticity of any repository before downloading software. This includes checking the account creation date, number of stars and forks, and the presence of verified badges on GitHub. Security teams should implement application allowlisting and block execution of unsigned binaries from unknown sources. Endpoint detection and response solutions should be updated to detect indicators associated with EtherRAT infection chains.
Source: The Hacker News
