Google Threat Intelligence Group (GTIG) uncovered a new North Korean campaign using EtherHiding, a technique that embeds malware within smart contracts on blockchains like Ethereum and BNB Smart Chain to evade detection. This innovative approach transforms blockchain networks into resilient command-and-control infrastructure, aiding in espionage and financial theft. #UNC5342 #EtherHiding
Keypoints
- UNC5342, a North Korean threat actor, employed EtherHiding to conceal malicious code within blockchain smart contracts.
- The campaign involves social engineering tactics, such as fake job interviews, to infect developers with malware like JADESNOW and INVISIBLEFERRET.
- Malware downloads additional payloads directly from smart contracts using blockchain read-only functions, enhancing stealth.
- The campaign’s goals include stealing cryptocurrency, conducting espionage, and gaining access to technology companies.
- Despite leveraging blockchain’s decentralization, attackers rely on centralized API services, offering potential interception points for defenders.