Threat Actors Utilize Binance Smart Chain in Malware Campaign
/ 3 min read
Quick take - Threat actors are increasingly using Binance’s Smart Chain to deliver malicious code in a campaign known as “EtherHiding,” which exploits compromised WordPress sites through deceptive browser update warnings and the installation of information-stealer malware.
Fast Facts
- The “EtherHiding” campaign utilizes Binance’s Smart Chain to deliver malware, primarily targeting compromised WordPress sites through deceptive browser update warnings.
- Guardio Labs identified this operation two months ago, marking a new phase in an ongoing malware campaign that exploits vulnerabilities in WordPress plugins.
- Attackers use obfuscated JavaScript to create smart contracts linked to their blockchain addresses, complicating detection and mitigation efforts.
- The broader campaign, known as “ClearFake,” employs various malware loaders to distribute information-stealer variants like Amadey, Lumma, and RedLine.
- To mitigate risks, WordPress users should follow security best practices, including keeping systems updated, removing unnecessary admin users, and enforcing strong passwords.
EtherHiding Campaign Exploits Binance’s Smart Chain
Threat actors are increasingly leveraging Binance’s Smart Chain (BSC) contracts to deliver malicious code in a campaign referred to as “EtherHiding.” Guardio Labs identified this operation approximately two months ago. This marks a new phase in an ongoing malware campaign that primarily exploits compromised WordPress sites.
Characteristics of the EtherHiding Campaign
The EtherHiding campaign is characterized by a sophisticated method. Victims are presented with deceptive warnings urging them to update their browsers before accessing compromised websites. This tactic leads to the installation of information-stealer malware variants such as Amadey, Lumma, and RedLine.
Security researchers Nati Tal and Oleg Zaytsev noted that the original hosting method on Cloudflare Worker hosts was disrupted. This disruption prompted the attackers to adopt blockchain technology. The decentralized and anonymous nature of blockchain complicates detection and mitigation efforts.
Attack Vectors and Techniques
The attack vectors primarily target WordPress sites through the use of malicious plugins and the exploitation of publicly disclosed vulnerabilities in widely used plugins. Infected websites are embedded with obfuscated JavaScript that interacts with the BNB Smart Chain to create smart contracts linked to attacker-controlled blockchain addresses.
The initial malicious script fetches a second-stage script, which retrieves a third-stage payload from a command-and-control (C2) server. It displays fraudulent browser update notices. When victims click the update button on the misleading overlay, they are redirected to download malicious executables from trusted file hosting services, such as Dropbox. The decentralized nature of the blockchain address and contract used in this phishing scheme makes it difficult to disrupt the ongoing malicious activities.
Broader Implications and Recommendations
Additional insights from Sekoia highlight that this broader campaign is dubbed “ClearFake.” ClearFake employs a JavaScript framework for malware delivery via drive-by downloads. The attack chains have led to the deployment of malware loaders known as IDAT Loader and HijackLoader, facilitating the distribution of various commodity stealers and trojans, including DanaBot, Lumma, Raccoon, RedLine, Remcos, SystemBC, and Vidar.
Notably, there are code similarities and tactical overlaps between IDAT Loader and HijackLoader, suggesting potential operation by the same threat group. Moreover, ClearFake and SocGholish (also known as FakeUpdates) exhibit similarities, indicating a potential connection between these malware families.
EtherHiding is a versatile technique that can be employed by various threat actors and is not limited to the ClearFake campaign. To mitigate risks, WordPress users are advised to adhere to security best practices, including keeping systems updated with the latest patches, removing unnecessary admin users, and enforcing strong passwords to enhance defenses against such threats.
Original Source: Read the Full Article Here
