Threat Research

UNC5342 Using Blockchain for Malware Delivery

GoogleCloudIntel
UNC5342 Using Blockchain for Malware Delivery

Google Threat Intelligence Group (GTIG) observed North Korean actor UNC5342 use EtherHiding—storing and retrieving malicious JavaScript payloads from smart contracts on BNB Smart Chain and Ethereum—to deliver JADESNOW and ultimately the INVISIBLEFERRET backdoor, enabling cryptocurrency theft and data exfiltration. The campaign leverages social engineering (fake interviews, malicious repo downloads), centralized API providers for blockchain reads, and frequent on-chain updates to evade takedowns and complicate mitigation. #UNC5342 #JADESNOW #INVISIBLEFERRET

Keypoints

  • GTIG linked UNC5342 to the adoption of EtherHiding to host and serve JavaScript malware from smart contracts on BNB Smart Chain and Ethereum.
  • The campaign uses elaborate social engineering (fake recruiters, interview tasks, fabricated companies) to trick developers into running malicious code or downloading infected packages.
  • JADESNOW acts as a JavaScript downloader that fetches, decrypts (Base64 + XOR), and runs second-stage payloads from on-chain smart contract data; it commonly leads to INVISIBLEFERRET as the persistent backdoor.
  • INVISIBLEFERRET.JAVASCRIPT communicates with a C2 on port 3306, beacons host info, executes commands, exfiltrates files, and can deploy credential stealers targeting browsers and wallets (MetaMask, Phantom, etc.).
  • Attackers exploit centralized blockchain API providers (instead of running full nodes) to read on-chain payloads; these intermediaries can be pressured to disrupt operations but responses have been inconsistent.
  • On-chain artifacts include a BNB Smart Chain contract (0x8eac3…), an attacker owner address (0x9bc1…), and multiple Ethereum transactions storing INVISIBLEFERRET components, enabling frequent updates and operational flexibility.
  • Chrome Enterprise controls (download restrictions, managed updates, URL blocklists, Safe Browsing) are recommended to break the attack chain and prevent malicious downloads and social-engineering success.

MITRE Techniques

  • [T1192 ] Spearphishing Link – UNC5342 uses fake recruiter messages and links to malicious interview pages to lure developers into running malicious code (“fake job interviews… victims download files from repositories like GitHub”).
  • [T1193 ] Spearphishing Attachment – The campaign supplies malicious files (e.g., ZIP archives and npm packages) as part of interview tasks or fixes, leading to execution of initial downloaders (“ZIP archive containing the initial downloader, in this case JADESNOW”).
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Attackers deploy JavaScript loaders and downloaders (JADESNOW, INVISIBLEFERRET.JAVASCRIPT) executed in the browser or in-memory to fetch and run further payloads (“loader script executes in their browser… communicates with the blockchain to retrieve the main malicious payload”).
  • [T1041 ] Exfiltration Over Command and Control Channel – INVISIBLEFERRET beacons and exfiltrates files and credentials to attacker-controlled servers and private Telegram chats (“The data is compressed into a ZIP archive and uploaded to an attacker-controlled remote server and a private Telegram chat”).
  • [T1105 ] Ingress Tool Transfer – The attack chain deploys additional components (portable Python interpreter, credential stealer) delivered via on-chain stored payloads and downloaded artifacts (“attempts to install a portable Python interpreter to execute an additional credential stealer component stored at the transaction address …”).
  • [T1602 ] Data from Local System – INVISIBLEFERRET collects host information, files, browser data, and crypto wallet credentials from compromised systems (“sends an initial beacon with the victim’s hostname, username, operating system… exfiltrating files, directories and subdirectories”).
  • [T1499 ] Endpoint Denial of Service (used for persistence via immutability) – Technique leveraged conceptually by storing payloads in immutable smart contracts to maintain persistent availability and resist takedown (“Once a smart contract is deployed, the malicious code within it typically cannot be easily removed or altered”).
  • [T1195 ] Supply Chain Compromise – The smart contract was linked to a supply chain attack that impacted React Native Aria and GlueStack via compromised npm packages (“linked to a software supply chain attack that impacted React Native Aria and GlueStack via compromised npm packages”).

Indicators of Compromise

  • [SHA256 Hash (ZIP Archive) ] ZIP containing initial downloader – 970307708071c01d32ef542a49099571852846a980d6e8eb164d2578147a1628
  • [SHA256 Hash (Initial JavaScript Downloader) ] JADESNOW sample – 01fd153bfb4be440dd46cea7bebe8eb61b1897596523f6f6d1a507a708b17cc7
  • [BSC Address (Smart Contract) ] Contract hosting JADESNOW payload on BNB Smart Chain – 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c
  • [BSC Address (Attacker-Controlled) ] Owner address of malicious contract – 0x9bc1355344b54dedf3e44296916ed15653844509
  • [Ethereum Transaction Hash ] INVISIBLEFERRET.JAVASCRIPT payload – 0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a
  • [Ethereum Transaction Hash ] Split INVISIBLEFERRET payload – 0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f
  • [Ethereum Transaction Hash ] INVISIBLEFERRET credential stealer payload – 0xf9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41

Read more: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint