Full Report
Tracing Remus EtherHiding Infrastructure
Analysis Summary
# Tool/Technique: EtherHiding (via Remus Infostealer)
## Overview
EtherHiding is a sophisticated **Dead Drop Resolver (DDR)** technique where malware utilizes smart contracts on a blockchain (specifically Ethereum/BSC) to retrieve its Command and Control (C2) infrastructure. Instead of hardcoding a domain, the malware queries a decentralized blockchain contract, making the C2 retrieval process resilient to traditional Takedowns and domain bans.
## Technical Details
- **Type:** Technique / Malware Variant (Remus is a 64-bit fork of Lumma Stealer)
- **Platform:** Windows (Remus/Lumma targets); Ethereum Blockchain (Infrastructure)
- **Capabilities:** Decentralized C2 resolution, evasion of static analysis, automated infrastructure rotation.
- **First Seen:** Early 2026 (Remus specific variant); EtherHiding techniques emerged generally in late 2023.
## MITRE ATT&CK Mapping
- **[TA0011 - Command and Control]**
- **[T1102 - Web Service]**
- **[T1102.001 - Dead Drop Resolver]**
- **[T1568.003 - DNS Calculation]** (Blockchain-based resolution)
- **[TA0007 - Discovery]**
- **[T1082 - System Information Discovery]** (Typical of Infostealers)
## Functionality
### Core Capabilities
- **Decentralized C2 Retrieval:** Uses the `eth_call` procedure via public RPC endpoints (e.g., LlamaRPC) to interact with specific smart contracts.
- **Dynamic Infrastructure:** The operator calls a `write()` function on the contract to update the C2 URL string, allowing all active infections to migrate to new infrastructure instantly.
- **Data Exfiltration:** Inherits Lumma’s log structure for stealing browser credentials, crypto wallets, and system metadata.
### Advanced Features
- **Contract Obfuscation:** The operator names contracts neutrally (e.g., "DomainStorage") to blend in with legitimate Web3 development.
- **Immutability Leverage:** Exploits the fact that blockchain records cannot be deleted by defenders or law enforcement, ensuring the "dead drop" point remains accessible as long as the chain exists.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- `http://fightwa[.]biz:5902` (Current Active C2)
- `http://chalx[.]live:5902` (Historical C2)
- `blablatst12345[.]net` (Test/Initial Domain)
- `eth.llamarpc[.]com` (RPC Endpoint used for resolution)
- **Blockchain Indicators:**
- **Contract Address (Active):** `0x999941b74F6bbc921D5174A5b29911562cd2D7CF`
- **Contract Address (Backup):** `0xf6896c4ddd2b821d5d2b3c18459acd9b5ec1ce21`
- **Operator Wallet:** `0xBeCFC3F9EB36E6Ec0E54f7A6627DA7EF648f8F01`
- **Function Selector:** `0xc2fb26a6`
- **Behavioral Indicators:**
- Outbound HTTPS traffic to public blockchain RPC providers.
- Process execution from temp directories with subsequent network connections to non-standard ports (e.g., 5902).
## Associated Threat Actors
- Unknown (Likely Lumma Stealer affiliates/customers using the enhanced **Remus** 64-bit variant).
## Detection Methods
- **Blockchain Monitoring:** Monitor Ethereum logs for the specific `DomainUpdated` event topic: `0xfe4d94448068b38fa4f90d468459f31695b3816d3b780071c1ae1c8a969ef543`.
- **Behavioral detection:** Identify internal hosts making repeated requests to known public blockchain RPC endpoints (e.g., `cloudflare-eth.com`, `llamarpc.com`) followed by connections to suspicious high-port IPs.
- **Network Filtering:** Flag/Block traffic to the specific smart contract function selector (`0xc2fb26a6`) within RPC call payloads.
## Mitigation Strategies
- **RPC Endpoint Filtering:** Block or strictly monitor access to public Blockchain RPC providers if they are not required for business operations.
- **Egress Filtering:** Restrict outbound traffic to uncommon ports (like 5902) to prevent C2 communication.
- **Endpoint Protection:** Use EDR solutions to monitor for the Remus log file structure and Lumma-like behavioral patterns.
## Related Tools/Techniques
- **Lumma Stealer:** The parent malware family.
- **Telegram/Steam Dead Drops:** Previous methods used by these actors before migrating to EtherHiding.
- **ClearFake:** An unrelated campaign known for pioneered uses of the EtherHiding technique via worker scripts.