Nation-state threat actors and cybercriminals are increasingly abusing cryptocurrency blockchains to host malicious payloads with a technique known as “EtherHiding,” which makes their attacks harder to detect and take down.
“Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft — the first time GTIG has observed a nation-state actor adopting this method,” researchers from Google wrote in a new report.
While this marks the first reported use of EtherHiding by a nation-state threat actor, Google has observed the technique being used and refined over the past year by cybercriminal group UNC5142, which compromises WordPress websites to distribute infostealers to visitors.
The technique leverages smart contracts, which act like programs stored on a blockchain, executing code when triggered. Attackers have learned to use these as command-and-control (C2) servers to return malicious payloads when the contracts execute after specific conditions are met.
Resilient and decentralized C2 infrastructure
One clear benefit of abusing smart contracts in this way is that they are immutable. Compared to hosting malware on a rented or compromised server, smart contracts are very hard to take down by security companies or law enforcement agencies, as cryptocurrency blockchains are by design highly decentralized.
To make things even harder, attackers use a chain of multiple smart contracts that reference one another, and they encrypt the payload so that it’s not easily detectable with scanning tools.
“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google’s researchers said. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.”
Used in North Korean fake recruitment campaigns
As opposed to other nation-state actors, North Korean APT groups are known to conduct cybercriminal activity in addition to cyberespionage, because their goal includes gathering funds for the regime.
One way they do this is by stealing cryptocurrency from companies and individuals. Between 2017 and 2023, it is estimated that North Korea generated $1.7 billion from cryptocurrency thefts.
This has also been the task of UNC5342, which has been behind social engineering campaigns that lure software developers with fake job applications on LinkedIn and recruitment websites.
The fake recruiters move the conversation with candidates to Discord or Telegram and ask them to take a technical assessment that involves downloading poisoned code repositories from GitHub. In other variations, candidates are invited to a video interview, then a ClickFix-type error message is displayed that requires them to download software to fix a problem.
The first-stage malware is usually malicious JavaScript code hosted in a rogue npm repository. Its purpose is to download and deploy second-stage trojans that steal cryptocurrency wallets, browser extension data, and locally stored credentials. GTIG calls this first-stage malware the JADESNOW downloader.
“JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum,” the researchers said. “The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.”
Furthermore, the INVISIBLEFERRET backdoor’s code might be split across different smart contracts, and when executed, it might download additional payloads stored at different blockchain addresses, such as a Python-based information stealer.
The malicious JavaScript downloader used by UNC5342 queries the Ethereum or BNB chains through several blockchain explorer API services, often with free API keys. While some of these services might respond to takedown requests, others are non-responsive. But using third-party API services is not the only way to read or trigger smart contracts, as demonstrated by separate threat actor UNC5142.
The ClickFix campaigns
The UNC5142 cybercriminal group has been known for distributing infostealer programs since 2023 using fake Google Chrome update pop-ups displayed to visitors on compromised websites. These fake browser update pop-ups were generated through a malicious JavaScript framework that ProofPoint researchers previously dubbed CLEARFAKE.
Google’s researchers have tracked an evolution of this framework they call CLEARSHORT, which downloads additional malicious payloads from smart contracts deployed on the BNB Smart Chain.
“The CLEARSHORT landing page leverages ClickFix, a popular social engineering technique aimed at luring victims to locally run a malicious command using the Windows Run dialog box,” the researchers said.
UNC5142 primarily targets WordPress websites. Google has tracked more than 14,000 web pages that display signs of compromise by UNC5142, which injects its malicious code into existing WordPress plugins, themes, or databases.
The malicious CLEARSHORT code leverages Web3.js, a library that allows interaction with Ethereum nodes over different web-based protocols such as HTTP, IPC, or WebSocket. This library is used to connect to the BNB Smart Chain through a public node.
UNC5142’s use of smart contracts has evolved over time from storing the payload in a single contract to now splitting different attack components into three separate ones, enabling different parts of the attack to be upgraded individually.
“This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” the researchers said. “A stable, unchangeable proxy forwards calls to a separate second-level contract that can be replaced to fix bugs or add features.”
The original article found on North Korean threat actors turn blockchains into malware delivery servers | CSO Online Read More
