- UNC5342 uses blockchain smart contracts to deliver cryptocurrency theft malware via EtherHiding
- Fake Jobs and Coding Challenges Lure Developers to Activate JadeSnow Loader and Backdoor
- Blockchain Immutability Makes Malware Hosting Resilient
North Korean state-sponsored threat actors are now using public blockchains to host malicious code and deploy malware to target endpoints.
This is according to Google’s Threat Intelligence Group (GTIG), who said they observed UNC5342 using Ethereum and BNB to host droppers and ultimately deploy cryptocurrency theft malware against software and blockchain developers.
The technique is called EtherHiding. Instead of sending a malicious file directly to the victim (or tricking them into downloading it), they encode parts of the malware into blockchain transactions and smart contracts.
Evolution of bulletproof hosting
The smart contract itself does not automatically run malware on someone’s computer, but can deliver instructions or code when a user interacts with it (when they click a link, run a script, or connect a crypto wallet).
The blockchain is a great place to store and distribute malware, as it is public, immutable, and nearly impossible to manipulate.
“This represents a shift toward next-generation bulletproof hosting,” Google said, highlighting that the resilient nature of the blockchain is what makes it so attractive to cybercriminals.
Since February, UNC5342 was observed creating fake jobs and coding challenges, tricking developers and others working in the Web3 space into downloading different files. These files connect to the blockchain and retrieve the code which in turn installs the JadeSnow loader. This loader eliminates the InvisibleFerret backdoor, which has already been observed to be used in cryptocurrency thefts.
This is not the first time we have seen blockchain being used to distribute malware. The technique has been in use since 2023, and in the same report, Google also mentioned a financially motivated UNC5142 actor using the same technique.
This group was seen compromising WordPress sites to host malicious JavaScript code that connected to the blockchain. So far more than 14,000 infected sites have been found.
North Korea is known for targeting the crypto industry and using stolen funds to finance its weapons program and state apparatus.
Through The record
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
