Hackers are hiding malicious code in Binance Smart Chain contracts

(Image credit: Shutterstock / Venomous Vector)

Hackers have been observed hosting malicious code on Binance’s Smart Chain and dropping it to people via smart contracts.

This tactic makes the malware campaign infinitely more resilient and tougher to take down, with the researchers who found it - Guardio Labs - describing it as the “next level of bulletproof hosting”.

Binance is one of the world’s most popular cryptocurrency exchanges, and has its own blockchain, called the Binance Smart Chain, which is essentially a competitor to Ethereum - a world computer that can be used to create and host decentralized apps (dApps). It also has lower fees and faster transaction times compared to Ethereum (because of, among other things, Ethereum being arguably more popular and more used). Smart contracts are programs stored on the blockchain that run when certain conditions are met.

Blockchains and smart contracts

First, the hackers' campaign, dubbed EtherHiding, finds a vulnerable WordPress site. It may have an easy-to-guess password or a flawed and outdated add-on through which they obtain access. Then, they create an overlay on that website, warning the visitors that their browser is outdated and that a patch is necessary in order to view the contents of the site. They also add an obfuscated JavaScript code that creates a smart contract and queries the Binance Smart Chain.

If the victim clicks on the download button, the script runs, creates the smart contract and fetches a malicious script hosted on the blockchain. 

“This is what we see here in this attack — malicious code is hosted and served in a manner that can’t be blocked,” the researchers explain. “Unlike hosting it on a Cloudflare Worker service as was mitigated on the earlier variant. Truly, it is a double-edged sword in decentralized tech.”

Ultimately, the victims will install an infostealer on their endpoints, be it Amadey, Lumma, or RedLine.

Unfortunately, there’s very little anyone can do about it, other than just flag the associated Binance Smart Chain addresses and contracts as malicious and used in a phishing campaign. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.