The EtherRAT campaign leverages poisoned search results and counterfeit GitHub repositories to trick enterprise administrators into installing a remote access trojan.
Attack Vector and Distribution
Threat actors are using search engine optimization poisoning to push malicious links promoting fake GitHub repositories. When enterprise administrators search for popular tools or code libraries, the poisoned results appear at the top of search listings. Clicking these links leads to cloned GitHub pages that host a remote access trojan called EtherRAT. The attackers carefully craft these pages to appear legitimate, often copying real project documentation and star counts to avoid suspicion.
Malware Capabilities and Target Profile
Once installed, EtherRAT gives attackers full remote control over the compromised system. The malware can capture keystrokes, exfiltrate files, take screenshots, and execute arbitrary commands. The campaign specifically targets enterprise system administrators and developers who frequently download code from GitHub. The attackers likely aim to steal credentials, API keys, and access to internal networks. There are currently no assigned CVEs associated with this campaign itself, though similar SEO poisoning techniques have been linked to past attacks.
Recommended Defenses
Organizations should implement strict software download policies and verify repository authenticity before cloning code. Security teams can use browser extensions to block known malicious domains and enforce multi-factor authentication on all critical accounts. Administrators should also monitor for unexpected outbound connections on nonstandard ports, which may indicate EtherRAT communication with command and control servers.
Source: Cyber Security News
