A sophisticated information-stealing malware written in Golang has emerged, leveraging blockchain technology to establish covert command-and-control channels.

SharkStealer represents a significant evolution in malware design, utilizing the BNB Smart Chain Testnet as a resilient dead-drop resolver for its C2 infrastructure.

This novel approach demonstrates how threat actors exploit Web3 technologies to evade traditional detection mechanisms and maintain persistent communication channels.

The malware employs an innovative technique known as EtherHiding, where critical infection chain components are stored on public blockchains rather than conventional web servers.

This method transforms immutable blockchain networks into censorship-resistant infrastructure that defenders struggle to disrupt or monitor effectively.

By embedding C2 addresses within smart contract responses, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked.

SharkStealer’s attack vector centers on leveraging the transparency and availability of public blockchain networks while maintaining operational security through encryption.

VMRay analysts identified that the malware issues Ethereum RPC eth_call requests to specific smart contracts deployed on the BSC Testnet nodes.

These contracts serve as encrypted data repositories, returning tuples containing an initialization vector (IV) and encrypted payload when queried.

The malware then decrypts this data using a hardcoded AES-CFB key embedded within the binary, ultimately extracting the actual C2 server addresses.

Technical Analysis of C2 Resolution

The infection mechanism operates through a multi-stage process that begins with establishing a secure connection to data-seed-prebsc-2-s1.binance.org:8545, the BSC Testnet RPC endpoint.

The code snippet below illustrates how SharkStealer constructs the JSON-RPC request:-

v87.Jsonrpc.ptr = "2.0";
v87.Method.ptr = "eth_call";
v77.To.ptr = "0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf";
v77.Data.ptr = "0x24c12bf6";

The malware’s C2 resolution mechanism demonstrates sophisticated engineering combining blockchain interaction with traditional cryptographic techniques.

Once the eth_call request reaches target smart contract addresses—specifically 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf—the contracts execute function 0x24c12bf6, returning encrypted C2 data.

The decryption process utilizes AES-CFB mode, combining the hardcoded key with the dynamically retrieved IV to decrypt the payload.

Analysis of sample SHA-256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 revealed active C2 servers at 84.54.44.48 and securemetricsapi.live, demonstrating the technique’s operational effectiveness.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.