Mitigating the Impact of “EtherHiding” Malicious Code

A colleague of mine sent me the article Hackers use Binance Smart Chain contracts to store malicious scripts, knowing that I had become interested in Blockchain & Web3 Security. It was indeed interesting, so of course I also read through the source article, “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts. Both articles brought to light some important points about on-chain security that may not often be considered, such as the fact that blockchain features can be utilized by malicious actors, from any space, to achieve their nefarious goals.

Summary of the original articles

In case you have not read the two articles referenced above yet, let me give you a quick summary.

There are some cybercriminals who have discovered a vulnerability in some WordPress sites which allows them to inject malicious Javascript. This injected Javascript then downloads and executes more malicious code. The malicious Javascript will then inform the user that an update to their browser is needed to view the requested content. Then the victim ends up with malware on their computer. Earlier attempts to exploit the vulnerability used traditional hosting services, such as CloudFlare to serve malicious Javascript. However, successful attempts to block the additional download have forced the attackers to resort to more creative means of hosting the malicious Javascript.

What does this have to do with the Blockchain? The criminals developed a Smart Contract that allows the hacked pages to download the malicious Javascript from the Blockchain. Blockchains are made up of many nodes (or servers) that are made available to any other computer on the internet. Adding information to the Blockchain costs money, but reading information from the Blockchain is free. In this particular case, the Blockchain of choice was the Binance Smart Chain (BSC). And while BSC is not the most decentralized Blockchain available, it is one of the cheapest.

Update since original articles

Before diving too deeply into my thoughts and opinions on the articles, I would like to provide a small update on what is happening now, since the articles were written. As mentioned in the article, the activities on-chain are transparent and traceable. Viewing the contract in BSC Scan reveals that as of about 15:00 on Sunday, 29/Oct/2023 someone figured out that the impact of this exploit can be mitigated by using benign values (i.e. "fin.") via the update function of the contract, overwriting the malicious code. There is still some mystery here as we do not know who owns the neutralizing wallet (0x91cc91...b0a0c349), and we do not know their intent. What we can see is that the update sent by b0a0c349 disables the malicious code. However, those sent by 5EcA222A enable the malicious code once again. Based on that, it seems reasonable to presume 0x91cc91...b0a0c349 is trying to mitigate the impact of the maliciousness as well as it can. Since the benign updates are following pretty closely with the malicious updates (~<15 minutes), it also seems reasonable to suspect there is at least some automation in this fight.

Nevertheless, there are several questions that remain: How long before they find an alternative? And then how much time will pass before it is uncovered and neutralized again? How many people will be infected in the meantime?

Thwarted? Trying again?

It looks like they have already figured out that their old contract can be made useless, and have redeployed what appears to be a similar one. As noted above, if you take a close look at the transactions for 0x7f36d9...61487c60, around 15:00 Sunday, 29/Oct/2023, b0a0c349 begins sending updates. Then around 04:00 on 31/Oct/2023 0x9ebae6...eddb4189 makes a couple of updates as well. The latter wallet creates a new contract on 30/Oct/2023, which appears to be similar malicious code.

Are the assumptions valid?

The main article, “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts, had some intriguing statements that jumped out at me.

Yet, in this evolution of “ClearFake”, we see that threat actors have introduced a novel method of hosting malicious code both anonymously and without any limitations — a real “Bullet Proof” hosting facilitated by the Blockchain.

The only thing they can do and currently offer — is the ability of the community and developers to be warned about a contract if identified as malicious or part of an illegal activity.

…is still online and delivers the malicious payload — apparently, as of today, there is NO WAY TO STOP IT.

These quotations bring up some points that are totally understandable from the perspective of someone who might not be familiar with how hard the Web3/Blockchain/DeFi community have been working to resolve its own security issues. Given how the development of Web3 Security has progressed, the statements above might have been accurate in the past; I think they are much less true today.

Side note for the authors

Before I go too far, I would like to note that this post is not intending to find fault in the work the authors of the original articles (Bill Toulas of Bleeping Computer, Nati Tal and Oleg Zaytsev of Guard.io Labs). As I am following the path of becoming a Web3 Security Researcher, I realize that it is not possible to know about all available solutions, especially as Blockchain and Web3 Security are moving forward as fast as possible to help protect users and projects. This article is intended to augment the work they have started and see if we can take another step or two toward a more secure internet, especially in the case of such exploits as the one discussed herein.

Mitigating the impact

I believe that the building blocks currently do exist to reduce, possibly even eliminate, the impact of these exploits. A Web3 project that I have been studying for a few months, is Forta Network¹. With Forta it is possible to create an agent that monitors contracts and wallets for patterns and values that could indicate malicious behavior. For example, in our case, it would be possible to build a Forta agent that could monitor the contract for calls to the update(string) function that contain the malicious values. When an alert is received, the information to mitigate the impact can be used based on the new values.

Of course, if the contract is left open to updates from anyone, it would also be possible to create a process that could update(string) the contract with a benign value, similar to what has been done by b0a0c349 (see above).

As a matter of fact, there are existing Forta agents that can do some good here already, for example, Malicious Contract Detected - Critical Severity and other alerts for 61487c60, 0x2102bf...28493a5d, 5eca222a and eddb4189. These alerts demonstrate that Forta knew that the contract and wallets had the potential to cause harm before maliciousness could even be put to use.

Another Forta agent could also observe the suspicious wallet(s) for indicators that could help identify other potential attacks (i.e. adding or moving funds, creating contracts, etc.) or the suspected criminals controlling the wallet(s) (i.e. moving funds on or off the Blockchain).

An important takeaway is that, at the very least, even if it is not yet fully possible to prevent the use of Blockchains from this type of abuse, the tools exist to help detect these attempts and limit the spread and impact of the maliciousness.

So what does this signify in light of the article(s)? Blockchains are not a bulletproof hosting solutions for deviant actors, we can do something to mitigate the impact of malicious code hosted on blockchains. Even though there still is no way to stop it completely, there certainly are ways to curtail it, mitigate the impact and generally make it far more difficult for nefarious use than it once was. Difficult enough to force them to find other avenues, or better yet, to stop altogether? Who knows, but we can hope and work toward that goal.

Disclaimer: I know I have discussed Forta agents as if I know they can do what is claimed. In all fairness, I have not actually built an agent that can do the things suggested. However, based on the documentation and articles like Detecting a $197 Million Hack Before Exploitation: Euler Finance Hack Retrospective and Blowfish Leverages Forta to Provide Unique Threat Intel to Wallets and Attack Deep Dive: Soft Rug Pull, I am certain that it is possible without having to speculate much at all.

1. It is my personal opinion that Forta Network has not received near enough recognition or consideration as they deserve. I am looking forward to being able to spend more time working with them in the near future. ↩