North Korean hackers have adopted the 'EtherHiding' technique that leverages smart contracts to host and deliver malware in social engineering campaigns that steal cryptocurrency.
Google Threat Intelligence Group (GTIG) says that a DPRK nation state threat actor, tracked internally as UNC5342, has been employing EtherHiding since February in Contagious Interview operations.
The researchers note that this is the first time they saw a state-backed hacker group using this method.
First described by Guardio Labs in 2023, EtherHiding is a malware distribution technique where payloads are embedded within smart contracts on a public blockchain (Binance Smart Chain or Ethereum). The threat actor can thus host malicious scripts and retrieve them when needed.
Due to how blockchains work, EtherHiding offers anonimity, resistance to takedown actions and allows flexible payload updating, all at a very low cost. Furthermore, fetching the payloads is possible through read-only calls that leave no visible transaction history, adding stealth to the process.
DPRK ops on the blockchain
The attacks typically begin fake job interviews, a hallmark for DPRK's hallmark social engineering tactics, from carefully fabricated entities (BlockNovas LLC, Angeloper Agency, SoftGlide LLC) targeting software and web developers.
The victim is tricked into running code, as part of the interview's technical assessment, that executes a JavaScript downloader.
The researchers say that "the smart contract hosts the JADESNOW downloader that interacts with Ethereum to fetch the third-stage payload," which is a JavaScript version of the InvisibleFerret malware typically used for long-term espionage.
GTIG notes that the payload runs in memory and may ask Ethereum for an another component that steals credentials.
... continue reading