ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.

ERYTHRITE Threat Group Operations

Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service firms. ERYTHRITE has also compromised an electronic agreement and document signature management company with hundreds of millions of users worldwide. ERYTHRITE began their malicious activities in May of 2020 and is currently active.

ERYTHRITE has a history of highly effective search engine poisoning campaigns and deployment of credential stealing malware. Their malware is released as part of a rapid development cycle designed to be evasive to endpoint detection. ERYTHRITE is connected to another activity labeled as Solarmarker.

Dragos’s findings are generally in agreement with a 2021 Prodaft security research report which posits that during 2021 ERYTHRITE malware compromised approximately 20 percent of Fortune 500 companies.

ERYTHRITE deploys malware that is continuously recompiled to evade anti-virus protection. In their most recent SEO poisoning campaign, ERYTHRITE used a two-pronged approach that began with compromising otherwise legitimate websites to deliver malware. ERYTHRITE leveraged the popular WordPress plugin Formidable Forms to upload hundreds of malicious PDFs loaded with thousands of keywords. These keywords were optimized for search engine crawling so that the breached website appeared at the top of a search. When Dragos reached out to the owner of one subverted website, the owner confirmed that the adversary abused an unprotected Formidable Forms-based contact form, enabling arbitrary file uploads. Dragos assesses with moderate confidence that ERYTHRITE has breached the unprotected Formidable Forms contact pages of multiple other websites.

In phase two of ERYTHRITE’s malware delivery-enabling SEO poisoning campaign, ERYTHRITE subverted hundreds of other legitimate websites (or crafted new ones) with links that point to the poisoned PDFs on the websites using the Formidable Forms plugin. These black hat SEO tactics may use a variety of methods such as “cloaking” or “link farming” and increase the page rank of ERYTHRITE optimized search terms. Search engine algorithms rank the importance and trustworthiness of content based in part on the number of links to a web page. Unfortunately, in this case, it is to a poisoned PDF.

Dragos assesses with medium confidence that ERYTHRITE will continue to compromise and steal credentials and data from organizations leaving their OT environments vulnerable to further compromise by ERYTHRITE or others.

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on ERYTHRITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.