Security experts have uncovered a devious method employed by threat actors to conceal malicious payloads within Binance smart contracts. Their goal? To entice unsuspecting victims into updating their web browsers through counterfeit alerts. This latest revelation from the realm of cybersecurity has unveiled a novel means through which cybercriminals are proliferating malware to unassuming users. They achieve this by manipulating BNB Smart Chain (BSC) smart contracts to clandestinely hide malicious code.
This technique, known as “EtherHiding,” was meticulously dissected by the security team at Guardio Labs in a report released on October 15. In this report, they expound on the intricacies of the attack. It entails the compromise of WordPress websites by injecting code designed to retrieve partial payloads from blockchain contracts.
The malefactors artfully conceal these payloads within BSC smart contracts, effectively turning them into anonymous, yet insidious, hosting platforms. What sets this method apart is the attackers’ ability to adapt swiftly, changing their tactics and codes at will. The most recent wave of attacks has taken the form of counterfeit browser updates, using counterfeit landing pages and links to prompt unsuspecting victims to update their browsers.
The payload, laden with JavaScript, fetches additional code from the attackers’ domains. This sinister progression culminates in the complete defacement of the target site, with the distribution of malware under the guise of browser updates. This adaptability is what makes this attack particularly challenging to mitigate, as explained by Nati Tal, the head of cybersecurity at Guardio Labs, and fellow security researcher Oleg Zaytsev.
Once these infected smart contracts are deployed, they operate autonomously, leaving Binance with no recourse but to rely on its developer community to identify malicious code within the contracts when it is discovered. Guardio has emphasized the importance of vigilance, especially for website owners using WordPress, which powers approximately 43% of all websites. Guardio warns:
“WordPress sites are highly susceptible and often become compromised, serving as the primary entry points for these threats to reach a vast pool of potential victims.”
