New Attack Vector "EtherHiding" Uses Binance Smart Chain to Hide Malicious Code

Introduction

Cybersecurity analysts have discovered a new attack vector called "EtherHiding" that hides malicious code in blockchain smart contracts. Contrary to its name, this method is not specific to Ethereum and is primarily being used on Binance's BNB Smart Chain. This article will delve into the details of this attack and explore the possible reasons behind its preference for BNB Smart Chain.

The Rise of EtherHiding

EtherHiding involves hiding malicious payloads inside smart contracts, with the intention of distributing malware to unsuspecting victims. Hackers compromise WordPress websites and inject code that pulls partial payloads buried in Binance smart contracts. By replacing the website's front end with a fake update browser prompt, they trick users into clicking, which then pulls the JavaScript payload from the Binance blockchain. The attackers frequently change the malware payloads and update website domains to evade detection, ensuring a constant supply of fresh malware downloads disguised as browser updates.

Preference for BNB Smart Chain

According to security researchers, one of the main reasons behind the preference for BNB Smart Chain is its lower costs compared to Ethereum. The handling fee of BSC is much cheaper, making it a more financially viable option for the attackers. Additionally, BNB Smart Chain offers the same network stability and speed as Ethereum, while avoiding the increased security-related scrutiny that Ethereum has been facing. Systems such as Infura's IP address tracking for MetaMask transactions on Ethereum pose a higher risk of discovery for hackers injecting their malicious code using this blockchain.

The Difficulty in Detecting and Stopping EtherHiding

EtherHiding poses a significant challenge for cybersecurity experts due to its sophisticated nature. The attackers continuously update the malware payloads and website domains, making it hard to detect and stop their activities. The 0xScope team, a web3 analytics firm, recently tracked the money flow between hacker addresses on BNB Smart Chain and Ethereum, linking key addresses to NFT marketplace OpenSea users and Copper custody services. This further highlights the complexity of the attack and the difficulty in uncovering the true motives behind it.

Conclusion

EtherHiding is a new attack vector that exploits blockchain smart contracts to distribute malware. While its name may suggest a connection to Ethereum, it primarily targets Binance's BNB Smart Chain. The attackers leverage the lower costs and reduced security-related scrutiny of BNB Smart Chain to carry out their malicious activities. With continuously updated payloads and website domains, EtherHiding presents a formidable challenge for cybersecurity professionals striving to detect and prevent these attacks.