October 17, 2023 at 01:11PM
Attackers have been using proprietary blockchain technology to conceal malicious code in a campaign involving fake browser updates. The campaign, called ClearFake, tricks users into downloading fake browser updates from compromised WordPress sites. The attackers use a technique called “EtherHiding” to host malicious code on Binance Smart Chain contracts, making it difficult to block and detect. Blockchain abuse is a growing concern, and securing WordPress sites is recommended to prevent these types of attacks.
Key takeaways from the meeting notes:
1. Threat actors are using proprietary blockchain technology to hide malicious code in a campaign that spreads malware via fake browser updates.
2. The campaign, dubbed ClearFake, has been active for the past two months and has targeted users through hijacked WordPress sites.
3. The attackers are using a technique called “EtherHiding” that leverages Binance Smart Chain contracts to host parts of the malicious code and make it difficult to block or take down.
4. The attack begins by injecting a concealed JavaScript code into compromised WordPress sites, which retrieves a second-stage payload from an attacker-controlled server.
5. Attackers deface websites with an overlay message demanding a browser update, allowing them to modify the infection process and display any message of their choice.
6. The researchers recommend blocking the ClearFake attack by disabling queries to addresses already tagged as malicious and disabling the eth_call debug method for unvalidated contracts on Binance.
7. Securing WordPress sites by keeping infrastructure and plugins updated, safeguarding credentials, and monitoring for malicious activity can help prevent such attacks.
Overall, the meeting highlighted the evolving nature of cyberattacks and the need for proactive measures to protect against blockchain abuse and vulnerabilities in platforms like WordPress.