Security analysts at 0xScope and CertiK have identified a preference among threat actors for using Binance’s BNB Smart Chain for the EtherHiding attack, a new method for concealing malicious code within blockchain smart contracts.
EtherHiding Attack Explained
EtherHiding is an emerging attack vector that involves hiding malicious payloads inside smart contracts with the aim of distributing malware to unsuspecting victims. Unlike what the name might suggest, this attack vector is not exclusive to Ethereum but has strong ties to Binance’s BNB Smart Chain.
Lower Costs Drive Adoption
Security researcher Joe Green from CertiK highlighted one of the primary reasons behind this preference, citing the significantly lower handling fees associated with BNB Smart Chain compared to Ethereum. The cost-effectiveness of BNB Smart Chain, combined with similar network stability and speed, makes it an attractive choice for cybercriminals.
Screenshot of malware updates being deployed in BSC smart contract. Source: Certik
Green explained, “The handling fee of BSC is much cheaper than that of ETH, but the network stability and speed are the same because each update of JavaScript Payload is very cheap, meaning there’s no financial pressure.”
Attack Methodology
EtherHiding attacks commence with hackers compromising WordPress websites, injecting code that extracts partial payloads concealed within Binance smart contracts. They then replace the website’s front end with a fake browser update prompt. Clicking on this prompt triggers the retrieval of the JavaScript payload from the Binance blockchain, which is often updated to evade detection. This tactic allows the attackers to continuously deliver fresh malware downloads disguised as browser updates.
Ethereum’s Increased Scrutiny
Another potential reason for the preference for BNB Smart Chain, as suggested by security researchers at Web3 analytics firm 0xScope, is the heightened security scrutiny faced by Ethereum. The increased attention on Ethereum may lead to a higher risk of discovery for hackers employing this method on the platform. Notably, systems like Infura’s IP address tracking for MetaMask transactions make it more challenging for malicious activities to go unnoticed on Ethereum.
The 0xScope team has been monitoring the financial flow between hacker addresses on BNB Smart Chain and Ethereum, uncovering key addresses linked to NFT marketplace OpenSea users and Copper custody services. The attack’s sophistication, which involves daily updates across 18 identified hacker domains, makes EtherHiding particularly challenging to detect and counteract.
This shift towards BNB Smart Chain reflects the evolving tactics of cybercriminals and underscores the need for enhanced security measures across blockchain networks.
