Cybercriminals Exploit Binance Smart Chain to Disseminate Malware through Smart Contracts

Security researchers from Guardio Labs have uncovered a novel technique known as “EtherHiding” that cybercriminals are using to distribute malware through Binance Smart Chain (BSC) smart contracts. This sophisticated attack method involves compromising WordPress websites and utilizing BSC smart contracts to obfuscate malware while disseminating malicious code.

The researchers at Guardio Labs shared insights into this technique in a report published on October 15. According to their findings, the attackers compromise WordPress websites by injecting code that retrieves partial payloads from blockchain contracts, effectively camouflaging the malicious content within the BSC smart contracts.

In this attack vector, the attackers leverage BSC smart contracts as covert and anonymous hosting platforms for their payloads. Notably, these attackers have the ability to update the code and change attack methods at their discretion. In recent instances, the attacks have taken the form of counterfeit browser updates. Victims are prompted to update their browsers through a fake landing page and link.

The payload embedded in these attacks typically contains JavaScript code responsible for fetching additional code from domains controlled by the attackers. The execution of this code eventually results in the defacement of the target website, accompanied by bogus browser update notifications, which are designed to distribute malware.

One of the key characteristics of this attack method is its adaptability. Threat actors can modify the attack chain by simply swapping out the malicious code with each new blockchain transaction, making it particularly challenging to mitigate. As Nati Tal, Head of Cybersecurity at Guardio Labs, and security researcher Oleg Zaytsev highlight, once infected smart contracts are deployed, they operate autonomously. Guardio Labs’ report suggests that Binance, the operator of Binance Smart Chain, can primarily rely on its developer community to identify and flag malicious code in contracts upon detection.

This discovery underscores the evolving threat landscape in the realm of Web3 and blockchain, which offers new avenues for malicious campaigns to operate without immediate detection. In light of these emerging threats, cybersecurity experts are emphasizing the importance of adaptive defenses to effectively counter these sophisticated tactics.

The “EtherHiding” technique serves as a stark reminder of the need for continuous vigilance in the face of ever-evolving cyber threats. As technology evolves, so do the techniques employed by threat actors, reinforcing the critical role of proactive cybersecurity measures and community cooperation in maintaining a secure digital environment.