A Novel Technique to Hide Malicious Code

Last Updated: October 21, 2023By

EtherHiding: A Novel Technique to Hide Malicious Code Using Binance’s Smart Chain

Threat actors have employed a new technique to distribute malicious code named “EtherHiding,†which abuses Binance’s Smart Chain (BSC) contracts to host parts of a malicious code chain to hide them inside the blockchain.

To inject malicious JavaScript codes into the blockchain systems, threat actors used compromised WordPress sites redirected to Cloudflare Worker hosts to achieve evasive distribution.

“In the attack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be accessed. The fake “update†turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.â€, reads the post by Guardio Labs.

Document

FREE Webinar

API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.


EtherHiding Malware

This new technique has also been termed “ClearFake,†which distributes malicious codes through compromised websites by displaying fake browser update overlays.

According to the reports shared with Cyber Security News, it was confirmed that threat actors have been targeting vulnerable WordPress websites to inject two malicious scripts into the web pages.

These malicious scripts load the Binance Smart Chain (BSC) JS library, which fetches other malicious scripts from the blockchain that are injected into the site. Moreover, this code also triggers the download of the third-stage payload from the attacker-controlled server (C2).

EtherHiding
Compromised Website

The fake browser update overlays are prompted for Google Chrome, Microsoft Edge, or Mozilla Firefox browser users. When the victims click the “update†button, they are directed to download a malicious executable from Dropbox or other legitimate websites.

Blockchain technology, while being a powerful tool, can also be exploited in various ways, such as in the spread of malware or in the exfiltration of stolen data and files. These malicious activities can be difficult to track and shut down using traditional law enforcement methods.

A complete report about ClearFake has been published by Guardio Labs, providing detailed information about the distribution technique, exploitation methods, reason for Binance usage, and other information.

Indicators of Compromises (IOCs)

Related BSC Addresses/Contracts:
———————————–
0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A
0x7f36D9292e7c70A204faCC2d255475A861487c60

3ed Stage IP Addresses:
———————–
109[.]248[.]206[.]49

3rd Stage Attacker Controlled Domains:
————————————–
921hapudyqwdvy[.]com
98ygdjhdvuhj[.]com
boiibzqmk12j[.]com
bookchrono8273[.]com
bpjoieohzmhegwegmmuew[.]online
cczqyvuy812jdy[.]com
indogevro22tevra[.]com
ioiubby73b1n[.]com
kjniuby621edoo[.]com
lminoeubybyvq[.]com
nbvyrxry216vy[.]com
nmbvcxzasedrt[.]com
oekofkkfkoeefkefbnhgtrq[.]space
oiouhvtybh291[.]com
oiuugyfytvgb22h[.]com
oiuytyfvq621mb[.]org
ojhggnfbcy62[.]com
opkfijuifbuyynyny[.]com
pklkknj89bygvczvi[.]com
poqwjoemqzmemzgqegzqzf[.]online
pwwqkppwqkezqer[.]site
reedx51mut[.]com
sioaiuhsdguywqgyuhuiqw[.]org
ug62r67uiijo2[.]com
vcrwtttywuuidqioppn1[.]com
vvooowkdqddcqcqcdqggggl[.]site
ytntf5hvtn2vgcxxq[.]com
zasexdrc13ftvg[.]com
ziucsugcbfyfbyccbasy[.]com

Compromised WordPress Sites (Detected Last 14 Days):
—————————————————-
kprofiles[.]com
animexin[.]vip
coloredmanga[.]com
gayvidsclub[.]com
dailyangelprayers[.]net
healthella[.]com
techsprobe[.]com
avionprivat[.]ro
..
..
..
–> 510 More Domains Here –> https://pastebin.com/x23iWvix

Malware Hashes (samples):
————————————
d0c56875fb19a407a86292e35dffec6caabbdbf630fbb79de4eec04708fa7b66
37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533
b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131
633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c702
3db1afee107cf2fa57d13e60c13c87dd1c22bfa9ef23dcf369d52dd9807a5ff4
1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad
788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e
3d77b34ba6dbb49d594e2be590a87f682e1875d2565ff18bdeafc66c9d5594ea
80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0
e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f
8ba53b5d773bc157df65fb0941c24e1edbc7c7b47e37b3f7a01751fc3b1a701a
2ab315537510fc91d73825d0d6661e9f4b141799877e2f5159892886265f362e

Malware Filename samples (Note UNICODE abuse in filenames):
——————–
ChrоmеSеtuр.appx
ChrоmеSеtuр.exe
СhrоmеSеtup.exe
ChrоmеSеtuр.msi
MlÑrоsоftЕdgеSеtup.appx
MlÑrоsоftЕdgеSеtup.exe
MlÑrоsоftЕdgеSеtup.msi
MlÑrоsоftЕdgеSеtup.msix
Setup_win64_2.49.0.4_release.exe
Setup_win64_5.49.1031-release.exe

Source: Guardio Labs

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


Source link

Leave A Comment