Cybersecurity analysts have recently uncovered a troubling trend in the world of blockchain technology – the emergence of a new attack vector known as “EtherHiding.” Contrary to what its name may suggest, EtherHiding has little to do with Ethereum itself. Instead, it is a method employed by nefarious actors to conceal malicious code within blockchain smart contracts for the purpose of distributing malware to unsuspecting victims.
Interestingly, these cybercriminals seem to favor Binance’s BNB Smart Chain over Ethereum. According to Joe Green, a security researcher from CertiK, one of the primary reasons behind this preference is the lower cost associated with BNB Smart Chain. The handling fees on BNB Smart Chain are significantly cheaper compared to Ethereum. Additionally, the network stability and speed of BNB Smart Chain are comparable to Ethereum, making it an attractive choice for these attackers. The cost-effective nature of BNB Smart Chain implies that these attackers face no financial pressure while executing their malicious actions.
The Mechanics of EtherHiding
EtherHiding attacks typically begin with hackers compromising WordPress websites and injecting code that retrieves partial payloads hidden within Binance smart contracts. The website’s front end is then replaced with a fake update browser prompt, which, when interacted with, retrieves the JavaScript payload from the Binance blockchain. To avoid detection, the malicious actors frequently modify the malware payloads and update the website domains. This enables them to continuously deceive unsuspecting users by disguising malware downloads as browser updates.
While the exact motives behind the choice to use BNB Smart Chain for EtherHiding attacks remain unclear, security researchers at Web3 analytics firm 0xScope suggest that this decision could be linked to the increased scrutiny on Ethereum. Ethereum’s security measures, such as Infura’s IP address tracking for MetaMask transactions, may pose higher risks of discovery for hackers attempting to inject malicious code into the Ethereum network. In comparison, BNB Smart Chain offers a potentially safer environment for executing these malicious activities with less chance of detection.
In their investigation, the 0xScope team traced the flow of funds between hacker addresses on both BNB Smart Chain and Ethereum. Surprisingly, key addresses were found to be associated with users of the NFT marketplace OpenSea and Copper custody services. This discovery raises concerns about the potential vulnerabilities within these platforms and highlights the sophistication of the EtherHiding scheme. The attackers behind EtherHiding meticulously update their payloads on a daily basis across 18 identified hacker domains. This constant evolution and adaptability make it incredibly challenging to detect and prevent these attacks.
EtherHiding represents a new and concerning frontier in the realm of malicious code. By exploiting the vulnerabilities of blockchain smart contracts and utilizing BNB Smart Chain, cybercriminals are able to distribute malware to unsuspecting victims with alarming ease. As the threat landscape continues to evolve, it becomes increasingly crucial for individuals and organizations to remain vigilant and employ robust security measures to safeguard against such attacks.