October 2023 was marked by a brand-new type of attack called EtherHiding. Cybercriminals found a way to utilize blockchain in a malicious way using anonymity and irreversibility of transactions to their advantage. Interestingly enough, despite the name, the attack has nothing to do with Ethereum.

In this article, we are figuring out how it works and what users can do to protect themselves.

How EtherHiding works

Hackers have developed a novel technique called "EtherHiding'' to host and distribute malicious code discreetly and without restrictions. They exploit blockchain technology, with a particular focus on the Binance Smart Chain (BSC), a blockchain platform tailored for decentralized applications and smart contracts.

In a recent campaign dubbed "ClearFake," cyber attackers infiltrated WordPress-based websites and inserted hidden JavaScript (JS) code into article pages. This initial code acts as a bridge, connecting to a server under the attackers' control, which orchestrates the rest of the website breach.

What sets this campaign apart is its utilization of blockchain-based hosting, offering a degree of anonymity and resilience that traditional hosting services lack. The compromised WordPress site's malicious code interacts with the BSC via Binance's Software Development Kit (SDK), specifically employing the eth_call method. This method enables attackers to retrieve malicious code without leaving any trace, and it is an operation devoid of costs that remains unrecorded on the blockchain. Once the hackers obtain the code, it is executed on the victim's browser, resulting in site defacement and malware downloads.

Because of the inherent properties of the blockchain, code hosted on the BSC is resistant to takedowns, making it an attractive choice for hosting malicious code. The ability to host and distribute malicious code on the blockchain makes mitigation difficult. Once a smart contract is deployed on the BSC, it operates autonomously. While Binance provides community warnings and tags for malicious contracts on their BSCScan service, these measures may not work to prevent such attacks.

What does EtherHiding have to do with Ethereum?

In this context, "Ether" does not refer to Ethereum's cryptocurrency (ETH). Instead, it is used in a more general sense to describe the concept of blockchain technology, specifically smart contracts.

Experts believe that BSC was used by hackers because it is less expensive to deploy smart contracts there compared to Ethereum.

What is more, it is believed that the second largest blockchain has more robust security measures compared to Binance Smart Chain, which would have been an obstacle to hackers.

How can one avoid EtherHiding

There are several things that users can do to protect themselves from EtherHiding or at least to make sure that the chance of the attack is minimal:

It is necessary to keep the website software, plugins, and themes up to date to patch vulnerabilities;
All passwords should be strong and unique; also, two-factor authentication (2FA) is a must;
One should implement security plugins and web application firewalls;
The backups should be up-to-date;
It is necessary to limit user access to only necessary privileges and revoke access for inactive users.

In conclusion, EtherHiding is yet another way used by hackers to steal users’ information, this time employing anonymity and the irreversibility of blockchain. Luckily, website owners can protect themselves by using robust security measures, such as 2FA, firewalls, etc. What is more, it is always necessary to follow the Crypto World news to know about such developments and keep safe, so do not miss out on our new articles.

Don’t miss our new articles!

Share on: