In a new and concerning development, threat actors have been observed leveraging Binance’s Smart Chain (BSC) contracts to serve malicious code. This tactic, known as the “next level of bulletproof hosting,” poses significant challenges for intervention and disruption. Guardio Labs has dubbed this ongoing malware campaign as EtherHiding, shedding light on the increasing sophistication of cyber threats.
Background of the malware campaign
For some time now, cybercriminals have been utilizing compromised WordPress sites to trick unsuspecting visitors. These compromised sites serve fake warnings, prompting users to update their browsers before being granted access. However, a novel twist has been introduced in the form of leveraging BNB Smart Chain to serve deceptive browser update notices. This adds an extra layer of credibility to the malicious campaign, as users may mistakenly believe that the updates are legitimate.
Malicious code injection
To accomplish their malicious objectives, threat actors inject obfuscated JavaScript into infected WordPress sites. This injected code is carefully designed to query the BNB Smart Chain, seeking instructions on how to serve the deceptive browser update notices. By leveraging the decentralized nature of the blockchain, the attackers gain a level of resilience that makes it difficult to intervene and disrupt their attack chain.
Deceptive Browser Update Notices
Once visitors to compromised sites encounter the fake overlay and click on the update button, they are unwittingly redirected to platforms like Dropbox, where they are prompted to download a seemingly innocent executable file. However, this downloaded file contains malicious code that can compromise the victim’s system and lead to further cyber attacks.
Challenges in Intervention and Disruption
The decentralized nature of the blockchain poses significant challenges when it comes to tagging and addressing the associated smart contracts used in phishing schemes. As a result, law enforcement agencies and cybersecurity organizations face an uphill battle in attempting to disrupt and neutralize these malicious actors. The lack of a centralized authority hampers efforts to trace and shut down the infrastructure supporting the attacks.
ClearFake Campaign and Drive-By Download Technique
The broader campaign, known as ClearFake, employs a JavaScript framework to deliver additional malware to unsuspecting victims. This framework enables threat actors to use the drive-by download technique, where malware is silently and automatically installed on a user’s device without their knowledge or consent. This method increases the stealth and effectiveness of the attack, making it even more challenging to detect and mitigate.
IDAT Loader and HijackLoader
Within the observed attack chains, we have identified the deployment of malware loaders such as IDAT Loader and HijackLoader. These loaders act as launchpads for various stealers and trojans, allowing the threat actors to carry out a range of malicious activities. The fact that the same threat group is involved in both the IDAT Loader/HijackLoader campaign and the SocGholish campaign suggests that one actor may be responsible for maintaining two distinct malware families.
Recommended security measures for WordPress users
To protect against these types of attacks, it is crucial that WordPress users adhere to robust security best practices. These measures include regularly updating their WordPress installations, themes, and plugins, as well as employing strong and unique passwords. Regular security audits should also be conducted to identify and address any vulnerabilities in the website’s configuration.
The exploitation of Binance’s Smart Chain contracts for malicious code delivery marks a significant advancement in cybercrime tactics. The EtherHiding campaign, along with the broader ClearFake campaign, demonstrates the ongoing evolution and resilience of threat actors. As these attacks continue to become more sophisticated, it is vital for individuals and organizations to remain vigilant, adopt effective security measures, and stay informed about the latest cybersecurity threats. By doing so, we can collectively mitigate the risks posed by these malicious actors and protect our digital ecosystems.