In a concerning development, cybersecurity researchers have unearthed a novel technique known as “EtherHiding,” wherein threat actors utilize Binance Smart Chain (BSC) smart contracts to conceal and distribute malicious payloads. This method poses a new challenge to cybersecurity, as hackers leverage blockchain transactions to manipulate BNB Smart Chain smart contracts, enabling them to hide malware and disseminate malicious code.
Security researchers at Guardio Labs detailed the “EtherHiding” technique in an October 15 report, revealing that cybercriminals compromise WordPress websites by injecting code that retrieves partial payloads from blockchain contracts. The attackers ingeniously hide these payloads within BSC smart contracts, essentially transforming them into anonymous free hosting platforms for malicious code.
What makes “EtherHiding” particularly insidious is its adaptability. The attackers can effortlessly update the code and alter their attack methods at will. Recent instances of this technique involve fake browser updates, where victims are enticed into updating their browsers through deceptive landing pages and links. The payload, which contains JavaScript, fetches additional code from the attacker’s domains, culminating in full-site defacement with fraudulent browser update notices that distribute malware.
The flexibility of this approach allows threat actors to modify the attack chain seamlessly by swapping out malicious code with each new blockchain transaction. Guardio Labs highlights the challenge of mitigating such attacks, with Nati Tal, Head of Cybersecurity at Guardio Labs, and fellow researcher Oleg Zaytsev emphasizing the difficulty in combating this dynamic threat.
Once infected smart contracts are deployed, they operate autonomously, leaving Binance with limited options. The platform must rely on its developer community to identify and flag malicious code in contracts as they are discovered.
Guardio emphasized the heightened vulnerability of WordPress sites, which power approximately 43% of all websites. The researchers issued a cautionary note, stating, “WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims.”
As the cybersecurity landscape continues to evolve, the discovery of “EtherHiding” underscores the critical need for website owners, especially those on WordPress, to bolster their security practices and defenses against emerging threats that leverage blockchain technology for nefarious purposes.