“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts

A new malware campaign called "EtherHiding" has emerged, using Binance's Smart Chain contracts to host parts of a malicious code chain. The campaign starts by hijacking WordPress sites and tricking users into downloading fake browser updates that are actually malware. The attackers initially hosted the code on Cloudflare Worker hosts, but they quickly switched to using the decentralized and anonymous nature of blockchain to host their malicious code. They utilize Binance's Smart Chain to host the code, making it difficult to detect and take down. The code is injected into compromised WordPress sites and queries the BSC Blockchain to retrieve a payload, which is then executed as JavaScript code. The use of blockchain allows the attackers to host the code in a way that cannot be blocked. The campaign demonstrates the potential of hosting malicious code on blockchain for malicious purposes.