Attackers first hid malware and malicious scripts as a data source on Cloudflare. When Cloudflare reacted and wanted to delete the data, the attackers came up with a new idea: they hid them disguised as cryptocurrency transactions (smart contract) in the immutable Binance Smart Chain (BSC) blockchain.
The so-called ClearFake Website visitors receive a message that their browser is out of date and needs to be updated. If the visitor clicks on the link, malware files are automatically reloaded from a compromised Cloudflare worker host. So much for the known chain of attacks.
“EtherHiding” – undeletable malware in blockchain
But when Cloudflare blocked these accounts, the hackers had to find a new repository for their malware. The new perfidious idea: they saved their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC). This technology is designed to run decentralized apps and “smart contracts,” or coded agreements. As soon as certain conditions are met, the stored data can be retrieved, in this case the contaminated files.
Binance Smart Chain (BSC) now has a problem: it cannot delete the data. The company can only blacklist the IP and web addresses associated with the malware scripts. But this only generates a warning message - but does not prevent JavaScript from being injected. According to an article from Guardio Labs, there is currently no way to stop the process or retrieval of the files stored as a contract. Protection software can stop the user or company's IP and also detect the malware that is being reloaded. But the source cannot be paralyzed.
Question to the expert: Is blockchain malware more dangerous?
Maik Morgenstern, CTO AV-TEST GmbH (Image: AV-TEST).
To better understand the problem, we have Maik Morgenstern, CTO AV-TEST interviewed. The independent test institute examines and verifies, among other things, security solutions for companies. The question to the expert: “Is malware from the blockchain more dangerous?” Maik Morgenstern: “Unfortunately, cyber gangsters are exploiting blockchain technology for their own purposes. The malware cannot be deleted there and is therefore available as an inexhaustible source. However, that doesn't make it any more dangerous. Good protection solutions for companies prevent the execution of malicious code and thus further attacks. It doesn't matter whether the malware is reloaded from a web server or from a blockchain. The manufacturers are of course aware of the problem and are blocking transfers or the execution of the reloaded code.”
Editor/sel