EtherHiding gives cybercriminals access to blockchain networks impervious to takedowns
The days of law enforcement agencies being able to engage in high-profile takedowns of the infrastructure that cybercriminals use to launch cyberattacks may be coming to a close because of blockchain networks.
Using an approach known as EtherHiding, cybercriminal syndicates are now copying a method of distributing malware using blockchain networks that was pioneered by hackers working on behalf of North Korea. Now a more financially motivated syndicate known as UNC5142 is using the same technique to turn more than 14,000 legitimate WordPress sites into a malware distribution network that may prove to be impossible to take down.
UNC5142 initially attacks these sites by distributing attack pages via legitimate services like Cloudflare Pages to exploit trust in recognizable infrastructure. Lures commonly used include fake reCAPTCHA screens, data privacy agreements and spoofed Cloudflare error messages. Victims are manipulated into executing malicious commands through “ClickFix” techniques. The final payload — infostealers like VIDAR, ATOMIC and LUMMAC.V2 — are delivered as encrypted data disguised as innocuous file types, then decrypted and executed entirely in memory to evade detection.
A lightweight JavaScript loader then gets injected into the compromised site. When users visit the infected page, the loader queries a smart contract on Ethereum or BNB Smart Chain using a read-only function call to ensure there is no transaction history. The fetched payload deploys infostealers, ransomware or fake authentication screens. More challenging still, cyberattackers can rotate campaigns without touching the code initially injected into the compromised websites.
Long-term impact on the threat landscape
There is no way to compel any of these decentralized blockchain networks to comply with a court order, so as long as Ethereum or BNB Smart Chain networks function, the infrastructure being used to launch these malware attacks will continue to persist. Smart contracts created via a blockchain network are unable to distinguish between legitimate applications and a command-and-control server being used to distribute malware. There are no servers for law enforcement agencies to identify and cart away as part of a raid.
The only way to thwart these attacks is to prevent a WordPress site or similar web application environment from being compromised in the first place, which will require more rigor to be applied to scanning pages and plug-ins for links to external networks. The challenge, as always, is that the individuals who build these sites don’t tend to have a lot of cybersecurity expertise.
Just as troubling, scanning every web page for external links to blockchain networks is a gargantuan task, and many organizations lack the time, money and resources to undertake it, which is a sad state of affairs that syndicates such as UNC5142 are counting on. At this point, cybersecurity teams should assume that many more cybercriminal syndicates are going to follow the EtherHiding lead of UNC5142.
Cybersecurity has always been a game of whack-a-mole. What’s changing is that thanks to blockchain the mole is now a lot more capable of withstanding any whack that a law enforcement agency might deliver.
