More sophisticated EtherRAT malware variant delivered via trojanized installer

Threat actors have leveraged a malicious copy of the popular Windows TFTP server and admin tool, Tftpd64, to compromise IT administrators and network professionals with an updated iteration of theEtherRAT malwareas part of a new hybrid attack campaign that combines system compromise with cryptocurrency theft, according toCyber Security News.Executing the illicit Tftpd64 installer file downloaded from a spoofed GitHub repository enables EtherRAT to establish a concealed directory within the local app data folder while deploying a self-contained Node.js runtime and other staged components to evade security tools, a report from LevelBlue SpiderLabs researchers. Once persistence is ensured, EtherRAT proceeds with covert system reconnaissance, obtaining Active Directory domain membership, system locale, and other details, before downloading another Node.js runtime and targeting several Ethereum RPC endpoints and Ethereum wallet addresses.Organizations have been urged to not only download software from official developer websites but also observe suspicious entries in Windows Run registry keys to combat the threat.