'Etherhiding' Blockchain Technique Masks Malicious Code in WordPress Sites

A threat actor has been abusing proprietary blockchain technology to hide malicious code in a campaign that uses fake browser updates to spread various malware, including the infostealers RedLine, Amadey, and Lumma.

While abuse of blockchain is typically seen in attacks aimed at stealing cryptocurrency — as the security technology is best known for protecting these transactions — EtherHiding demonstrates how attackers can leverage it for other types of malicious activity.

Researchers from Guardio have been tracking a campaign dubbed ClearFake over the last two months in which users are misled into downloading malicious fake browser updates from at least 30 highjacked WordPress sites.

The campaign uses a technique called "EtherHiding," which "presents a novel twist on serving malicious code" by using Binance Smart Chain (BSC) contracts from Binance — one of the world's largest cryptocurrency sites — to host parts of a malicious code chain "in what is the next level of Bullet-Proof Hosting," according to a recent post by Guardio.

"BSC is owned by Binance and focuses on contracts: coded agreements that execute actions automatically when certain conditions are met," Guardio explained in the post. "These contracts offer innovative ways to build applications and processes. Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown."

Attackers are leveraging this in their attack by hosting and serving malicious code in a manner that can't be blocked, making it difficult to stop the activity. "This campaign is up and harder than ever to detect and take down," according to the post.

Attackers turned to this tack when their initial method of hosing code on abused Cloudflare Worker hosts was taken down, the researchers noted. "They've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," according to the post.

How the EtherHiding Cyberattack Works

The attack begins when threat actors use compromised WordPress sites to embed a concealed JavaScript code that is injected into the pages, which retrieves a second-stage payload from an attacker-controlled server. From there, attackers deface websites with "a very believable overlay demanding a browser update before the site can be accessed," according to Guardio.

"Using this method, the attacker can remotely and instantly modify the infection process and display any message they want," according to the post. "It can change tactics, update blocked domains, and switch out detected payloads without re-accessing the WordPress sites."

Blocking Blockchain Abuse

While blockchain and other Web 3.0 technologies bring innovation, they are also rife for abuse by threat actors that are continuously adapting to leverage their benefits for nefarious activity.

"Beyond this specific exploit, blockchain can be misused in myriad ways, from malware propagation stages to data exfiltration of stolen credentials and files, all eluding traditional law enforcement shutdown methods," according to Guardio.

One simple way to block the ClearFake attack would be for Binance to disable any query to addresses already tagged as "malicious," or disable the eth_call debug method for unvalidated contracts, according to the post. The researchers did not disclose if they contacted Binance about this potential fix.

Securing WordPress sites — which are prone to vulnerabilities and thus ripe for exploitation — also would block the gateway for threats like this to have broad victim impact, according to Guardio.

To this end, the researchers recommend protecting sites by keeping WordPress infrastructure and plugins updated, safeguarding credentials, using robust, periodically-changed passwords, and generally keeping a close eye on what's happening on sites to detect malicious activity.