Check Point Research has disclosed EtherRAT, a remote access trojan that uses the Ethereum blockchain as its command-and-control (C2) communications channel โ encoding instructions inside transaction metadata fields that are appended to Ethereum transfers sent to attacker-controlled wallet addresses. The technique creates a C2 channel that is inherently resilient to traditional network security controls: it cannot be taken down by domain seizure, cannot be sinkholed, and its traffic is indistinguishable from ordinary Ethereum blockchain queries against a public node.
How Blockchain C2 Works
EtherRAT operators encode commands using the input data field of Ethereum transactions โ an optional data payload that standard Ethereum clients process without restrictions. By querying public Ethereum nodes (including Cloudflareโs Ethereum gateway at cloudflare-eth.com/v1/mainnet and Infuraโs API), the malware retrieves transaction histories for attacker-controlled wallet addresses and parses the encoded commands without communicating with any attacker-operated infrastructure directly.
The defence implications are significant:
- No attacker-controlled domain to block โ the malware communicates only with legitimate public Ethereum node endpoints, all of which serve real blockchain infrastructure traffic
- No traditional C2 server to take down โ commands are permanently recorded on-chain; even if law enforcement seizes the attackerโs private key, historical commands remain readable and cannot be removed from the blockchain
- No network signature โ Ethereum JSON-RPC API calls over HTTPS are standard traffic for blockchain applications, developer tools, and DeFi platforms, giving EtherRAT queries no distinguishing traffic characteristics
- Resilience across network changes โ victim machines behind different ISPs, in different countries, or behind egress proxies can all reach public Ethereum nodes, providing broad geographic coverage without custom infrastructure
The technique is not new in concept โ researchers demonstrated blockchain-based C2 proof-of-concepts as early as 2019 โ but EtherRAT represents the first well-documented deployment in active targeted campaigns.
Infection Chain and Capabilities
EtherRAT is distributed via trojanised versions of legitimate administrative tools โ specifically, spoofed copies of PuTTY, FileZilla, and WinSCP distributed via lookalike domains and search engine poisoning. The installer executes the legitimate application alongside the EtherRAT implant, reducing suspicion by delivering the expected software behaviour to the user.
Post-installation capabilities include:
- Persistent remote command execution (shell access)
- File upload and download
- Keylogging and screenshot capture
- Credential harvesting from browser stores and Windows Credential Manager
- Lateral movement via PsExec and WMI remote invocation
Attacker commands are issued by broadcasting new Ethereum transactions to the control wallet โ the cost per command is approximately $0.02โ$0.10 USD in gas fees at current Ethereum prices, making the operational cost of the C2 channel negligible.
Active Campaign Targeting
Check Point attributes ongoing EtherRAT campaigns to a threat actor cluster operating against government ministries, defence contractors, and financial institutions in Eastern Europe and the Middle East. The targeting profile is consistent with state-aligned intelligence gathering rather than financially motivated operations, though the forensic evidence does not allow attribution to a specific nation-state with high confidence.
Detection and Mitigation
Traditional C2 detection approaches (domain reputation, IP blocklists, DGA detection) are ineffective against EtherRATโs blockchain C2. Effective detection and containment requires:
Network-level controls:
- Consider restricting outbound access to Ethereum JSON-RPC endpoints (port 443 connections to
cloudflare-eth.com,infura.io,alchemy.com, and similar Ethereum API providers) to only systems that legitimately require blockchain access. Most enterprise endpoints have no business reason to query Ethereum nodes. - Log all outbound HTTPS connections and alert on connections to known Ethereum API provider domains from endpoints where blockchain access is not expected.
Endpoint detection:
- The initial infection vector โ trojanised administrative tools โ is detectable via software provenance controls: AppLocker or WDAC policies that require executables to be signed by known publishers prevent unsigned or loosely-signed tool replicas from executing.
- EDR rules targeting keylogger patterns, credential database access, and unusual screenshot APIs are effective against EtherRATโs post-exploitation capability even when the C2 channel evades detection.
Supply chain hygiene:
- Distribute administrative tools (PuTTY, WinSCP, FileZilla) only through approved, internal repositories rather than allowing users to download from external sources. Software centralisation through a managed repository is the most reliable defence against trojanised installer attacks.
The EtherRAT disclosure reinforces a pattern of attackers migrating C2 infrastructure to legitimate cloud and distributed platforms โ following Cloudflare Tunnels (DEEP#DOOR), ICP blockchain canisters (TeamPCP CanisterSprawl), and GitHub as a C2 relay (Tropic Trooper) โ specifically because these platforms resist conventional network-level interdiction.
Share this article