Etherhide Technique Using Blockchain as C&C Infrastructure

Overview
Threat actors have been utilizing various techniques and channels to evade tracking and blocking of their Command and Control (C&C) infrastructures. For example, they use Fast-Flux to rapidly change IP addresses and maintain domains, Bulletproof Hosting to use infrastructures located in countries where legal measures are difficult, and public platforms such as Telegram, Pastebin, and Twitter. Recently, there have been cases of threat actors utilizing the anonymity and censorship resistance of blockchain technology. This post will examine Etherhide, a technique that uses smart contracts as C&C infrastructures, and introduce cases of its abuse.

What Is the Etherhide Technique?
Etherhide operates by inserting arbitrary payloads into smart contracts on the Ethereum blockchain, which are then called from and executed externally.

Figure 1. Operation of Etherhide

 

Threat actors can utilize various blockchain networks such as Binance Smart Chain or the Sepolia testnet, allowing them to maintain a high level of anonymity. Additionally, due to the nature of blockchain, the inserted payload is not deleted or blocked, enabling threat actors to access it stably and continuously. Unlike the conventional malware distribution method that relies on web servers or domains, Etherhide uses the blockchain network itself as its infrastructure, making it difficult to respond to the threat using existing tracking and blocking methods.

 

Generally, a gas fee is incurred when interacting with a blockchain network. However, in the Etherhide technique, after inserting the payload, there is no gas fee incurred during the distribution process. This is because the Etherhide technique uses the Ethereum API method ‘eth_call’ to query the payload inserted into the contract. The ‘eth_call’ method executes smart contract functions without changing the state, without creating a transaction on the blockchain. It is commonly used for calling read-only smart contract functions, and it can be used to query the payload without a gas fee.

Table 1 shows examples of parameters used when calling the ‘eth_sendTransaction’ method where transactions occur and the ‘eth_call’ method where transactions do not occur. The gas parameter of the ‘eth_sendTransaction’ method represents the gas to be provided to execute the transaction, and any unused gas is returned. On the other hand, the ‘eth_call’ method does not trigger a transaction, so there is no need to specify the gas parameter separately.

method : eth_sendTransaction	method : eth_call
params: [ { to: “0x***60cf90B0C6D0220023402AC11E1CA7D0f6***”, from: “0x***00BbE1A20dA4d474666B79a5fa6CE12629***”, gas: “0x76c0”, value: “0x16345785d8a0000”, data: “0x”, gasPrice: “0x4a817c800” } ]	params: [ { to: “0x***8567B4CB5DEcbFE28be25b64Fd36e225aA***”, data: “0x2cae8ae4” } ]

Table 1. Comparison of parameters of Ethereum API methods

 

Even when using testnets like Sepolia, transactions such as contract deployment and payload updates do not cost any actual fees because they all use test Ethereum tokens.

 

Accessing Etherhide payload
Figure 2. Log of the transaction requested when inserting a payload into the contract

Figure 2. Transaction log

 

Figure 3 shows the result of analyzing the data in a structured format. The first 4 bytes are the method identifier, and the next 32 bytes are the offset that indicates the position where the payload begins. The following 32 bytes represent the length of the payload, and after this, the actual payload data follows based on the offset and length information.

Figure 3. Parsing data

 

If the string ‘alert(“Attack payload executed!”);’ is encoded in Base64 and inserted as the payload of the contract, the data returned upon querying this is shown in Figure 4. The returned data does not include a method identifier, and when parsed according to the structure shown in Figure 3, only the payload can be extracted. This allows the original data to be completely restored.

Figure 4. Payload delivered in the response

 

In the example, the Sepolia testnet was used to implement the Etherhide technique. The RPC parameters required when calling the ‘eth_call’ method were configured in JSON format and then sent to the Sepolia RPC endpoint in the POST body. Figure 5 shows a part of the code used in the call process, allowing you to directly check the actual implementation method.

Figure 5. Example code of payload invocation

 

This method can be used to download payloads not only in web browsers but also in executable files (binaries) and scripts. In the case of downloaders that retrieve additional payloads from the Internet, the Etherhide technique can be used instead of the conventional method. This allows threat actors to download payloads without breaching websites, creating domains, or exposing C&C servers. Furthermore, the nature of blockchain makes it difficult to block and allows for continuous access, which is advantageous for threat actors.

 

Real Cases of Using the Etherhide Technique

 

ClearFake 

The ClearFake campaign being distributed from July 2023 prompts users to download and run malware disguised as a Chrome browser update. Initially, users were redirected to a separate C&C server before the malware was downloaded, but recently, threat actors have been using a social engineering technique that prompts users to execute Powershell commands directly using the clipboard. During this process, threat actors are utilizing the Etherhide technique to use the blockchain network as a C&C infrastructure for redirection and payload transmission. For more information, refer to “EtherHiding and ClickFix: new mask of social engineering campaign” by Marek Szustak. Furthermore, the command execution prompt using the clipboard has been covered in the ASEC Blog.

 

Smargaft

The name Smargaft is a combination of Smart Contract and Gafgyt botnet, and it is a botnet that utilizes the Etherhide technique. Smargaft sends requests to the Binance Smart Chain (BSC) RPC server and retrieves the botnet C&C server IP address, which is used as the payload. The threat actor can easily update the contract payload information when the botnet C&C server address is changed. For more information, please refer to the post by XLAB, “Smargaft Harnesses EtherHiding for Stealthy C2 Hosting” published in February 2024.

 

Conclusion

The Etherhide technique is gaining attention as the next-generation Bulletproof Hosting, and it is expected that there will be an increase in cases where threat actors abuse this technique. The high level of anonymity, persistence, no cost burden, and the fact that it does not require server infrastructure are sufficient reasons for threat actors to utilize blockchain as their malware infrastructure. 
From a defender’s perspective, it may be difficult to detect or block the Etherhide technique using conventional methods. However, since the Etherhide technique is ultimately used to retrieve payloads, users can prevent attacks by not executing suspicious files or commands in the early stages of an attack.