So far, Bitcoin has stood the test of time. Although the crypto currency is a vector for scams, criminal activity, and its users the target of cyber attacks such as spam and phishing, account compromise, InfoStealer malware, the Bitcoin's underlying blockchain technology has remained largely technically resilient to cryptographic attacks. However, blockchain technology, such often lauded for its security, can also be leveraged by threat actors, creating a new dimension in cybersecurity challenges.
Since blockchain, thousands of crypto currencies have spawned, most of them leveraging a decentralized finance model. And other uses for blockchain have emerged such as smart contracts and their flagship crypto product Ethereum. Ethereum has been on the radar for cyber crime already. Hackers actively seek out and compromise smart contracts to steal the bitcoins they hold.
In late 2023, a new use case for Ethereum emerged known as EtherHiding. This time instead of hacking into smart contracts to rob them, attackers are leveraging them to host malware that the attackers can later access and download onto compromised systems. In this article we will learn about EtherHiding, how it helps solve a problem of detection for hackers, and review some recent attack campaigns that have used EtherHiding.
EtherHiding, is a new cyber attack technique discovered in October 2023, is a new and sophisticated form of cyberattack that leverages blockchain technology to covertly host malware. The term "EtherHiding" can be misleading, because the technique can use a number of smart contract platforms, not only Ethereum.
Cyberattacks that involve malware infection typically happen in two distinct phases. The first phase is to gain unauthorized access to a victim's system. The second phase is to import malware to the system and execute it. During the second stage, cyber criminals face the challenge of covertly importing their malware to the victim's system, while protecting their identity by removing any traces of their connection to the malware code. One technique used by attackers to keep their malware accessible and protect their identity is known as BulletProof hosting. However, even using rouge hosting services, defenders can block the source IP address or domain where the malware is stored once they discover it.
The new EtherHiding tactic is especially effective at preventing defenders from easily blocking the malware's location by leveraging blockchain’s properties. Blockchain transaction anonymity makes it difficult to trace the identity of attackers, while the irreversibility of blockchain means the malware will forever be embedded in the blockchain and cannot be deleted. Finally, since most blockchains are decentralized, it is virtually impossible for authorities to issue takedown notices that can effectively remove the malicious code from the Internet or to block the malware's source IP via firewall rules. This is because decentralized blockchain technology is hosted across many IP addresses, which are difficult or even impossible to completely track.
EtherHiding works by exploiting the decentralized nature of blockchain platforms, with a particular focus on the Binance Smart Chain (BSC). Cybercriminals use BSC’s smart contracts to host malicious code. Smart contracts, once deployed, because they are hosted on the blockchain, they are resistant to takedowns. Also, by embedding the malicious code in the blockchain, attackers don't need to have extensive malware files on their victim's system, thwarting detection efforts.
Here is how EtherHiding works: The attacker embedded malicious JavaScript within web pages of compromised websites such as hacked WordPress sites. which reaches out and interacts with the smart contract to retrieve malware payloads via Binance’s Software Development Kit (SDK). The eth_call method on the BSC is commonly used to fetch the malicious code without leaving a trace in the blockchain’s transaction logs.
This makes EtherHiding an incredibly resilient method of attack, with little recourse for takedowns even after detection. Because BSC is decentralized, it could be hosted on a wide number of IP addresses making rule-based detection impossible. Consequently, websites running on outdated software or weak security configurations are particularly vulnerable to such attacks.
One notable cyber attack campaign that used EtherHiding is the "ClearFake" campaign, where cybercriminals compromised WordPress-based websites by injecting hidden JavaScript code into article pages.
In another case, EtherHiding was used with Fake-Updates, a tactic where users were tricked into downloading malware disguised as software updates. Victims were presented with pop-ups prompting them to download what appeared to be legitimate updates, but these actually delivered malicious code via the blockchain, leading to site defacement and malware infections.
EtherHiding leverages the decentralized nature of blockchain, particularly the Binance Smart Chain, to conceal and distribute malicious code via smart contracts. This tactic exploits blockchain’s anonymity and resistance to takedowns, making it highly effective and difficult to trace. Attackers can continuously update malicious payloads, evading traditional detection methods. Recent cases, like the ClearFake campaign, demonstrate how EtherHiding facilitates sophisticated cyberattacks, creating new challenges for defenders in detecting and mitigating these threats.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.