CallMeOnTheChain - EtherRAT Detailed Walkthrough

Introduction

This walkthrough guides you through the forensic analysis of a sophisticated attack featuring EtherRAT, a Remote Access Trojan that leverages blockchain technology for Command and Control (C2) infrastructure. The investigation begins with the compromise of an AWS EC2 instance through CVE-2025-55182, a critical Remote Code Execution vulnerability in Next.js applications.

What makes EtherRAT particularly interesting is its use of Ethereum smart contracts to dynamically resolve C2 server addresses—a technique that makes traditional takedown efforts exceptionally difficult. Throughout this analysis, we'll trace the complete attack lifecycle using the provided PCAP file with TLS session keys for decryption.

Setting Up Your Environment

Before beginning, configure Wireshark for TLS decryption:

  1. Open Wireshark and go to Edit → Preferences → Protocols → TLS
  2. Set (Pre)-Master-Secret log filename to the path of sslkeys.log
  3. Click OK and open maromalix_capture.pcap

With TLS decryption configured, HTTPS traffic will now appear as decrypted HTTP in Wireshark, allowing us to inspect request and response bodies.

Also we will be using cmder (which is pinned to taskbar) along with tshark so make sure you are in the correct directory

cd "/c/Users/Administrator/Desktop/Start Here/Artifacts"

Phase 1: Initial Access

Unlock Your Full Learning Experience with BlueYard Labs

Sign up to track your progress, unlock exclusive labs, and showcase
your achievements—begin your journey now!
Join for Free