‘EtherHiding’ hack uses Binance blockchain to extort WordPress users

Researchers at Guardio Labs have discovered a new attack known as ‘EtherHiding,’ which uses Binance Smart Chain and Bullet-Proof Hosting to serve malicious code within victims’ web browsers.

Unlike an earlier suite of fake update hacks that exploited WordPress, this variant uses a new tool: Binance’s blockchain. Earlier, non-blockchain variants interrupted a webpage visit with a realistic-looking, browser-styled ‘Update’ prompt. A victim’s mouse click installed malware.

Due to the cheap, fast, and poorly policed programmability of Binance Smart Chain, hackers can serve a devastating payload of code directly from this blockchain.

To be clear, this is not a MetaMask attack. Hackers simply serve malicious code inside victims’ web browsers that looks like any webpage that the hacker wants to create — hosted and served in an unstoppable manner. Using Binance’s blockchain to serve code, hackers attack victims for various extortion scams. Indeed, EtherHiding even targets victims with no crypto holdings.

Read more: Reuters hints at ‘dark secrets’ surrounding Binance and its reserves

Hijacking the browser to steal your information

Within the past few months, fake browser updates have proliferated. Unsuspecting internet users encounter a believable, secretly compromised website. They see a fraudulent browser update and absentmindedly click ‘Update.’ Immediately, hackers install malware like RedLine, Amadey, or Lumma. This type of malware, known as an ‘infostealer,’ often hides via Trojan attacks that have the superficial appearance of legitimate software.

The EtherHiding version of these WordPress-based update attacks uses a more powerful infostealer, ClearFake. Using ClearFake, EtherHiding injects JS code into unsuspecting users’ computers.

In an earlier version of ClearFake, some code relied on CloudFlare servers. CloudFlare detected and eliminated that malicious code, which gutted some of the functionality of the ClearFake attack.

Unfortunately, the attackers have learned how to evade cybersecurity-minded hosts like CloudFlare. They found a perfect host in Binance.

The EtherHiding attack notably redirects its traffic to Binance servers. It uses an obfuscated Base64 code that queries Binance Smart Chain (BSC) and initializes a BSC contract with an address controlled by the attackers. It notably calls some software development kits (SDKs) like Binance’s eth_call, which simulate contract execution and can be used to call malicious code. 

As Guardio Labs researchers pleaded in their Medium posts, Binance could mitigate this attack by disabling queries to addresses that it has flagged as malicious, or disabling the eth_call SDK.

For its part, Binance has flagged some ClearFake smart contracts as malicious on BSCScan, the dominant Binance Smart Chain explorer. Here, it warns blockchain explorers that the attacker’s addresses are part of a phishing attack.

However, it provides little useful information about the attack’s form. Specifically, BSCScan doesn’t display warnings to the actual victims where the hacks occur: inside their web browsers.

Web browser tips to avoid EtherHiding

WordPress has become notorious for being a target for attackers, with one-quarter of all websites using the platform.

• Unfortunately, approximately one-fifth of WordPress websites have not upgraded to the latest version, which exposes Internet surfers to malware like EtherHiding.
• Site administrators should implement robust security measures such as keeping login credentials safe, removing compromised plugins, securing passwords, and limiting admin access.
• WordPress administrators should upgrade WordPress and its plugins daily, and avoid using plugins with vulnerabilities.
• WordPress administrators should also avoid using ‘admin’ as a username for their WordPress administration accounts.

Beyond that, the EtherHiding/ClearFake attack is difficult to block. Internet users should simply be wary of any unexpected ‘Your browser needs updating’ notification, especially when visiting a website that uses WordPress. Users should only update their browser from the browser’s settings area — not by clicking a button within a website, no matter how realistic it appears.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.