← ~/DETECTIONS

2025-11-02 // Dylan Evans

Potential EtherHiding Activity via Blockchain Explorer Connections

Defender XDR

Detects suspicious network connections to blockchain explorer APIs that may indicate UNC5342’s use of new EtherHiding techniques for retrieving malicious payloads.

blockchainmalware-downloadlateral-movementapi-abuse

Detecting Suspicious Blockchain Explorer Connections

Overview

This detection identifies anomalous network connections to blockchain explorer APIs, which threat actors like UNC5342 use in their EtherHiding technique—an evasion method where malicious payloads are retrieved via smart contract interactions. The query flags suspicious URLs containing keywords like eth_call or free API keys (apiKey=freekey) that indicate compromised systems probing blockchain data for further exploitation.

Query

DeviceNetworkEvents
| where RemoteUrl has_any ("explorer", "block", "cypher", "eth", "bit", "coin", "crypto")
| where RemoteUrl has_any ("eth_call", "apiKey=freekey")
| project ReportId, DeviceId, Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort

Logic Explanation

The query filters DeviceNetworkEvents for connections to known blockchain-related domains (e.g., explorer, eth) and checks if the URLs include suspicious patterns like:

  • eth_call: A read-only function call used by threat actors to extract data from smart contracts.
  • apiKey=freekey: A common free API key provided by services like EthPlorer, often abused in automated probing.

It surfaces connections where:

  • The destination URL matches one of the predefined patterns (case-insensitive).
  • No explicit process list is enforced (commented out), allowing broader scope but risking false positives from legitimate browsers or scripts.

Tuning Notes

  • False positives may arise if legitimate users interact with blockchain APIs (e.g., crypto traders) or if eth_call queries are part of automated monitoring tools.
    • Suggestion: Exclude known benign processes (e.g., Chrome, Firefox) by uncommenting and refining the initiatingProcesses list.
  • False negatives could occur if the query misses newer blockchain domains or variations of freekey.
    • Suggestion: Expand blockchainExplorerPatterns with additional TLDs (e.g., .eth, .io) or use regex for partial matches.

References