A Novel Technique to Hide Malicious Code

Threat actors have employed a new technique to distribute malicious code named “EtherHiding,” which abuses Binance’s Smart Chain (BSC) contracts to host parts of a malicious code chain to hide them inside the blockchain.

To inject malicious JavaScript codes into the blockchain systems, threat actors used compromised WordPress sites redirected to Cloudflare Worker hosts to achieve evasive distribution.

“In the attack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be accessed. The fake “update” turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.”, reads the post by Guardio Labs.

FREE Webinar

API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.

Register Now

EtherHiding Malware

This new technique has also been termed “ClearFake,” which distributes malicious codes through compromised websites by displaying fake browser update overlays.

According to the reports shared with Cyber Security News, it was confirmed that threat actors have been targeting vulnerable WordPress websites to inject two malicious scripts into the web pages.

These malicious scripts load the Binance Smart Chain (BSC) JS library, which fetches other malicious scripts from the blockchain that are injected into the site. Moreover, this code also triggers the download of the third-stage payload from the attacker-controlled server (C2).

The fake browser update overlays are prompted for Google Chrome, Microsoft Edge, or Mozilla Firefox browser users. When the victims click the “update” button, they are directed to download a malicious executable from Dropbox or other legitimate websites.

Blockchain technology, while being a powerful tool, can also be exploited in various ways, such as in the spread of malware or in the exfiltration of stolen data and files. These malicious activities can be difficult to track and shut down using traditional law enforcement methods.

A complete report about ClearFake has been published by Guardio Labs, providing detailed information about the distribution technique, exploitation methods, reason for Binance usage, and other information.

Indicators of Compromises (IOCs)

Related BSC Addresses/Contracts: ———————————– 0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A 0x7f36D9292e7c70A204faCC2d255475A861487c60 3ed Stage IP Addresses: ———————– 109[.]248[.]206[.]49 3rd Stage Attacker Controlled Domains: ————————————– 921hapudyqwdvy[.]com 98ygdjhdvuhj[.]com boiibzqmk12j[.]com bookchrono8273[.]com bpjoieohzmhegwegmmuew[.]online cczqyvuy812jdy[.]com indogevro22tevra[.]com ioiubby73b1n[.]com kjniuby621edoo[.]com lminoeubybyvq[.]com nbvyrxry216vy[.]com nmbvcxzasedrt[.]com oekofkkfkoeefkefbnhgtrq[.]space oiouhvtybh291[.]com oiuugyfytvgb22h[.]com oiuytyfvq621mb[.]org ojhggnfbcy62[.]com opkfijuifbuyynyny[.]com pklkknj89bygvczvi[.]com poqwjoemqzmemzgqegzqzf[.]online pwwqkppwqkezqer[.]site reedx51mut[.]com sioaiuhsdguywqgyuhuiqw[.]org ug62r67uiijo2[.]com vcrwtttywuuidqioppn1[.]com vvooowkdqddcqcqcdqggggl[.]site ytntf5hvtn2vgcxxq[.]com zasexdrc13ftvg[.]com ziucsugcbfyfbyccbasy[.]com Compromised WordPress Sites (Detected Last 14 Days): —————————————————- kprofiles[.]com animexin[.]vip coloredmanga[.]com gayvidsclub[.]com dailyangelprayers[.]net healthella[.]com techsprobe[.]com avionprivat[.]ro .. .. .. –> 510 More Domains Here –> https://pastebin.com/x23iWvix Malware Hashes (samples): ———————————— d0c56875fb19a407a86292e35dffec6caabbdbf630fbb79de4eec04708fa7b66 37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533 b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f 1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131 633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c702 3db1afee107cf2fa57d13e60c13c87dd1c22bfa9ef23dcf369d52dd9807a5ff4 1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad 788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e 3d77b34ba6dbb49d594e2be590a87f682e1875d2565ff18bdeafc66c9d5594ea 80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0 e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f 8ba53b5d773bc157df65fb0941c24e1edbc7c7b47e37b3f7a01751fc3b1a701a 2ab315537510fc91d73825d0d6661e9f4b141799877e2f5159892886265f362e Malware Filename samples (Note UNICODE abuse in filenames): ——————– ChrоmеSеtuр.appx ChrоmеSеtuр.exe СhrоmеSеtup.exe ChrоmеSеtuр.msi MlсrоsоftЕdgеSеtup.appx MlсrоsоftЕdgеSеtup.exe MlсrоsоftЕdgеSеtup.msi MlсrоsоftЕdgеSеtup.msix Setup_win64_2.49.0.4_release.exe Setup_win64_5.49.1031-release.exe

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.