Cybersecurity researchers have uncovered a new tactic employed by threat actors to disseminate malware by exploiting Binance Smart Chain (BSC) smart contracts. This method, known as “EtherHiding,” involves manipulating WordPress websites, injecting code to extract partial payloads from blockchain contracts. The attackers then conceal these payloads within BSC smart contracts, effectively using them as anonymous hosting platforms.
One of the notable features of this attack is its adaptability. The threat actors can alter the code and change their attack methods at will. Recent instances have taken the form of fake browser updates, where victims are lured into believing they need to update their browsers through deceptive landing pages and links. The payload typically consists of JavaScript that fetches additional code from the attacker’s domains, ultimately leading to the defacement of websites with counterfeit browser update notifications that distribute malware.
This approach allows the threat actors to constantly modify their attack chain, making it a challenging threat to mitigate. Nati Tal, Head of Cybersecurity at Guardio Labs, and fellow security researcher Oleg Zaytsev emphasized the difficulty in countering this emerging threat. Once infected smart contracts are deployed, they operate independently, leaving Binance to rely on its developer community to identify and flag malicious code in contracts when detected.
Guardio Labs advised website owners, particularly those using WordPress, which powers approximately 43% of all websites, to exercise extra vigilance in their security practices. WordPress websites are often compromised, serving as primary gateways for these threats to reach a wide pool of victims.
The firm concluded that the advent of Web3 and blockchain technologies has opened up new possibilities for malicious campaigns to operate unhindered. It stressed the need for adaptive defenses to counter these evolving threats.
