- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Some excerpts:
Since February, Google researchers have observed two groups turning to a newer technique to infect targets with credential stealers and other forms of malware. The method, known as EtherHiding, embeds the malware in smart contracts, which are essentially apps that reside on blockchains for Ethereum and other cryptocurrencies. Two or more parties then enter into an agreement spelled out in the contract. When certain conditions are met, the apps enforce the contract terms in a way that, at least theoretically, is immutable and independent of any central authority.
- The decentralization prevents takedowns of the malicious smart contracts because the mechanisms in the blockchains bar the removal of all such contracts.
- Similarly, the immutability of the contracts prevents the removal or tampering with the malware by anyone.
- Transactions on Ethereum and several other blockchains are effectively anonymous, protecting the hackers’ identities.
- Retrieval of malware from the contracts leaves no trace of the access in event logs, providing stealth
- The attackers can update malicious payloads at anytime
Creating or modifying smart contracts typically cost less than $2 per transaction, a huge savings in terms of funds and labor over more traditional methods for delivering malware.
Layered on top of the EtherHiding Google observed was a social-engineering campaign that used recruiting for fake jobs to lure targets, many of whom were developers of cryptocurrency apps or other online services. During the screening process, candidates must perform a test demonstrating their coding or code-review skills. The files required to complete the tests are embedded with malicious code.
I quite didn’t understand what happens after the malware is up in the block chain. Do I get infected if something sends me currency? Or would it take some action from me, like willingly entering a contract?
In addition to Godort’s statement, it in theory could potentially be used on systems that handle transactions and take note of the information stored on blockchain and don’t sanitize inputs, but sanitizing inputs is one of the most basic tasks and at that point it becomes the bank’s or brokerage’s problem not yours.
This capability has never been demonstrated, as it would require a lot of convoluted prerequisites to work in this manner.
Most of these tokens which store data are NFTs to begin with.
lol right , and sanitizing inputs is still a top 10 OWASP , plus the smart contracts are compiled instead of interpreted like they should be.
No. it’s no where near that scary. The advantage this offers is that a piece of malware can dynamically pull parts of the code down from a place that is difficult to block, and where it cannot be changed or removed.
Right now, Malware devs typically do this by spinning up a hosted webserver using a stolen credit card or cryptocurrency and then hosting it there until the webhost takes it offline. This development will ensure that those bits of code will be up and accessible forever.