Scammers Try Hosting Their Malware on a Binance Network

Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers 'have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement,' reports security researcher Brian Krebs.

'By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.'

[W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and 'smart contracts,' or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

'These contracts offer innovative ways to build applications and processes,' Tal wrote along with his Guardio colleague Oleg Zaytsev. 'Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown.' Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. 'So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,' Tal said.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. 'This model is designed to proactively identify and mitigate potential threats before they can cause harm,' BNB Smart Chain wrote. 'The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.'

Read more of this story at Slashdot.