Full Report
Unit 42 says attackers are posing as helpdesk staff and persuading employees to hand over remote control before dropping EtherRAT trojan
Analysis Summary
# Tool/Technique: EtherRAT (Social Engineering via Microsoft Teams)
## Overview
This attack involves a multi-stage social engineering campaign where threat actors pose as IT helpdesk staff over Microsoft Teams. By gaining the victim's trust, they persuade them to grant remote access via legitimate tools before deploying **EtherRAT**, a versatile cross-platform Remote Access Trojan (RAT).
## Technical Details
- **Type:** Malware Family (RAT) / Social Engineering Technique
- **Platform:** Windows, Linux, macOS (Node.js based)
- **Capabilities:** Remote command execution, data exfiltration, file manipulation, persistence, and decentralized C2 infrastructure.
- **First Seen:** Variant 1.0 (Early 2024); Current campaign observed late June/July 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Fake employee survey)
- T1566.003 - Phishing: Spearphishing via Service (Microsoft Teams)
- **TA0005 - Defense Evasion**
- T1216 - System Script Proxy Execution
- T1202 - Indirect Command Execution (Abuse of legitimate remote admin tools)
- **TA0011 - Command and Control**
- T1102.003 - Web Service: One-Way Communication (Ethereum Smart Contracts)
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0007 - Discovery**
- T1011 - Exfiltration Over Other Network Medium
## Functionality
### Core Capabilities
- **Cross-Platform Execution:** Built on Node.js, allowing it to target multiple operating systems with the same codebase.
- **Classic RAT Features:** Provides full remote shell access, file system browsing (upload/download), and direct system manipulation.
- **Social Engineering Leverage:** Utilizes legitimate Remote Desktop Software (AnyDesk, HopToDesk) to bypass initial security screenings for unauthorized remote access.
### Advanced Features
- **Blockchain-Based C2:** Uses Ethereum smart contracts to dynamically retrieve active C2 server addresses, making the infrastructure highly resilient to traditional domain takedowns.
- **Fallback Mechanisms:** Maintains a hardcoded secondary domain as a "cold standby" if the blockchain retrieval fails.
- **Deployment via MSI:** Delivered via a packaged MSI installer to facilitate persistence and easy deployment during a remote session.
## Indicators of Compromise
- **File Hashes:**
- *Samples referenced in Unit 42 repository (versions 1 through 9).*
- **File Names:**
- `CtrlVirtualCursorWin_*` (Generated by Teams during remote control)
- `AnyDesk.exe`, `HopToDesk.exe` (Unauthorized use of legitimate tools)
- **Network Indicators:**
- Blockchain interactions (Ethereum smart contract queries)
- [h]xxp[://]ether-rat[.]com (Defanged example)
- **Behavioral Indicators:**
- Incoming Microsoft Teams chat requests from "External unfamiliar" contacts.
- Unexpected MSI installations following a remote support session.
## Associated Threat Actors
- **Note:** Multiple groups have been observed using EtherRAT; it is often linked to actors exploiting vulnerabilities like React2Shell. No specific named APT group was attributed in this specific Teams campaign, though it displays advanced TTPs.
## Detection Methods
- **Signature-Based:** AV/EDR signatures for Node.js-based malware and specific MSI installer patterns.
- **Behavioral Detection:**
- Monitoring for Microsoft Teams sessions where a "cross-tenant OneOnOne chat" is initiated from an external source.
- Hunting for the creation of `CtrlVirtualCursorWin_*` files in user directories, which indicates an active remote control session.
- Detecting the retrieval of data from Ethereum gateway domains by non-crypto-related applications.
- **Forensic Artifacts:** Audit logs of Microsoft Teams showing the "External unfamiliar" tag for helpdesk-themed interactions.
## Mitigation Strategies
- **User Training:** Educate employees that internal IT will not contact them via Teams as "External" users and will never ask to install unapproved remote software for a survey.
- **Tenant Security:** Restrict external communications in Microsoft Teams to "Trusted Domains" only.
- **Application Control:** Whitelist approved remote administration tools and block others (like HopToDesk) at the network or endpoint level.
- **Endpoint Hardening:** Disable or monitor Node.js execution on standard workstations where it is not required for business operations.
## Related Tools/Techniques
- **AnyDesk / HopToDesk:** Legitimate tools abused for "Living off the Land" remote access.
- **React2Shell:** A vulnerability previously exploited to drop EtherRAT.
- **DarkGate:** Another RAT known for spreading via Microsoft Teams phishing.