In the ever-evolving landscape of cybersecurity threats, a new malware strain named SharkStealer has surfaced, showcasing a sophisticated blend of programming and blockchain technology to establish covert command-and-control (C2) channels. Written in the Go programming language, SharkStealer exemplifies a significant shift in malware design, utilizing the Binance Smart Chain (BSC) Testnet as a resilient dead-drop resolver for its C2 infrastructure. This innovative approach highlights how cybercriminals are exploiting Web3 technologies to evade traditional detection mechanisms and maintain persistent communication channels.
Understanding EtherHiding: A Novel Evasion Technique
At the core of SharkStealer’s strategy is a technique known as EtherHiding. Unlike conventional methods that rely on web servers to store critical components of the infection chain, EtherHiding leverages public blockchains. By embedding C2 addresses within smart contract responses on the blockchain, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked. This method transforms immutable blockchain networks into censorship-resistant infrastructure, posing significant challenges for defenders attempting to disrupt or monitor malicious activities.
Technical Breakdown of SharkStealer’s C2 Resolution Mechanism
SharkStealer’s infection mechanism operates through a multi-stage process, beginning with establishing a secure connection to the BSC Testnet’s Remote Procedure Call (RPC) endpoint at data-seed-prebsc-2-s1.binance.org:8545. The malware constructs a JSON-RPC request to interact with specific smart contracts deployed on the BSC Testnet nodes. The code snippet below illustrates this construction:
“`
v87.Jsonrpc.ptr = 2.0;
v87.Method.ptr = eth_call;
v77.To.ptr = 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf;
v77.Data.ptr = 0x24c12bf6;
“`
Upon sending the `eth_call` request to target smart contract addresses—specifically 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf—the contracts execute function 0x24c12bf6, returning encrypted C2 data. The malware then decrypts this data using the Advanced Encryption Standard in Cipher Feedback mode (AES-CFB), combining a hardcoded key with a dynamically retrieved initialization vector (IV) to extract the actual C2 server addresses.
Operational Effectiveness and Implications
Analysis of a sample with the SHA-256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 revealed active C2 servers at 84.54.44.48 and securemetricsapi.live, demonstrating the operational effectiveness of this technique. By embedding C2 addresses within smart contract responses, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked.
Broader Context: The Rise of Blockchain-Based Malware
SharkStealer is not an isolated case; it represents a broader trend of malware leveraging blockchain technology for malicious purposes. For instance, the EtherHiding technique has been employed in other campaigns, such as ClearFake, which distributes malicious code through compromised websites by displaying fake browser update overlays. In these attacks, threat actors inject malicious JavaScript codes into blockchain systems, using compromised WordPress sites redirected to Cloudflare Worker hosts to achieve evasive distribution.
Similarly, North Korean hackers have utilized EtherHiding to deliver malware and steal cryptocurrency. These sophisticated campaigns exploit the decentralized and immutable nature of blockchain networks to host and distribute malicious payloads, making detection and mitigation more challenging for cybersecurity professionals.
Challenges for Cybersecurity Defenders
The use of blockchain technology in malware campaigns presents unique challenges for cybersecurity defenders. Traditional methods of disrupting C2 channels, such as blocking domains or IP addresses, are less effective against malware like SharkStealer that leverages decentralized and immutable blockchain networks. This necessitates the development of new detection and mitigation strategies that can address the complexities introduced by blockchain-based malware.
Conclusion
SharkStealer exemplifies the evolving tactics of cybercriminals who are increasingly turning to blockchain technology to enhance the resilience and stealth of their operations. By leveraging the BSC Testnet and employing the EtherHiding technique, SharkStealer establishes covert C2 channels that are difficult to detect and disrupt. This underscores the need for continuous innovation in cybersecurity defenses to keep pace with the sophisticated methods employed by threat actors.
