Threat actors have employed a new technique to distribute malicious code named â€œEtherHiding,â€ which abuses Binance’s Smart Chain (BSC) contracts to host parts of a malicious code chain to hide them inside the blockchain.
â€œIn the attack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be accessed. The fake â€œupdateâ€ turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.â€, reads the post by Guardio Labs.
API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.
This new technique has also been termed â€œClearFake,â€ which distributes malicious codes through compromised websites by displaying fake browser update overlays.
According to the reports shared with Cyber Security News, it was confirmed that threat actors have been targeting vulnerable WordPress websites to inject two malicious scripts into the web pages.
These malicious scripts load the Binance Smart Chain (BSC) JS library, which fetches other malicious scripts from the blockchain that are injected into the site. Moreover, this code also triggers the download of the third-stage payload from the attacker-controlled server (C2).
The fake browser update overlays are prompted for Google Chrome, Microsoft Edge, or Mozilla Firefox browser users. When the victims click the â€œupdateâ€ button, they are directed to download a malicious executable from Dropbox or other legitimate websites.
Blockchain technology, while being a powerful tool, can also be exploited in various ways, such as in the spread of malware or in the exfiltration of stolen data and files. These malicious activities can be difficult to track and shut down using traditional law enforcement methods.
A complete report about ClearFake has been published by Guardio Labs, providing detailed information about the distribution technique, exploitation methods, reason for Binance usage, and other information.
Indicators of Compromises (IOCs)
Related BSC Addresses/Contracts: ———————————– 0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A 0x7f36D9292e7c70A204faCC2d255475A861487c60
3ed Stage IP Addresses: ———————– 109[.]248[.]206[.]49