The EtherRAT campaign uses SEO poisoning to lure enterprise admins to fake GitHub pages that distribute malware, highlighting a growing reliance on search result manipulation for initial access.
How the Attack Works
Attackers are using search engine optimization poisoning to push malicious links to the top of search results for popular enterprise tools. When an administrator searches for a common software package, they may see a seemingly legitimate GitHub repository. In reality, that repository hosts a fake installer that drops the EtherRAT remote access trojan. The malware gives attackers full control over the infected system, enabling data theft and further network compromise.
Impact and Scope
The campaign specifically targets enterprise administrators, aiming to gain high level access inside corporate networks. Once EtherRAT is installed, attackers can pivot to other systems, steal credentials, and deploy additional payloads. There are no known CVEs associated with this campaign at this time, but the technique exploits human trust in search engine rankings and code hosting platforms. Organizations should verify the authenticity of any downloaded software and monitor for unusual outbound connections.
Source: Cyber Security News
