Hackers are employing a new code distribution technique called ‘EtherHiding’ to hide malicious scripts within Binance’s Smart Chain (BSC) contracts. This method allows them to abuse blockchain systems, making it a more resilient and evasive distribution channel compared to their previous tactic of using compromised WordPress sites.
Furthermore, the campaign has evolved over the last two months, targeting vulnerable WordPress sites and misleading users into downloading fake browser updates. The attackers utilize BSC’s decentralized nature to hide malicious code, making it harder to detect and take down.
EtherHiding, orchestrated by threat actors known as ‘ClearFake,’ involves injecting code into compromised websites to display fraudulent browser update prompts. These attackers inject script tags into web pages, loading the Binance Smart Chain (BSC) JS library and fetching malicious scripts from the blockchain, which are then injected into the website. The third-stage payload, also fetched from the blockchain, prompts users to update their browsers, ultimately leading them to download malicious executables from legitimate hosting sites.
One key advantage for the attackers is the blockchain’s decentralized nature, which makes it difficult to take down code hosted on it. They can easily update the blockchain to swap out malicious code and related domains when one of their domains gets flagged. The lack of charges to make these changes allows them to abuse the system without suffering a financial burden. The most effective mitigation strategy against EtherHiding and similar threats is to enhance WordPress security by using strong admin passwords, keeping plugins up to date, and removing unused add-ons and accounts.
EtherHiding is a testament to the evolving tactics of threat actors in making their attacks resistant to takedowns. If successful, this method could become integral to various payload delivery attack chains in the coming months, demonstrating the increasing threat posed by blockchain-based malicious activities.