If you’re a software developer looking for a job, North Korean scammers have an offer for you that’s off the chain, the blockchain that is. These gangs have recently adopted a technique called EtherHiding, hiding malware inside blockchain smart contracts to sneak past detection and ultimately swipe victims’ crypto and credentials, according to Google’s Threat Intelligence team.
A Pyongyang goon squad that GTIG tracks as UNC5342 has been using this method since February in its Contagious Interview campaign, we’re told.
The criminals pose as recruiters, posting fake profiles on social media along the lines of Lazarus Group’s Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the Norks target software developers, especially those working in cryptocurrency and tech, trick them into downloading malware disguised as a coding test, and ultimately steal sensitive information and cryptocurrency, while gaining long-term access to corporate networks.
To do this, they use EtherHiding, which involves embedding malicious code into a smart contract on a public blockchain, turning the blockchain into a decentralized and stealthy command-and-control server.
Because it’s decentralized, there isn’t a central server for law enforcement to take down, and the blockchain makes it difficult to trace the identity of whoever deployed the smart contract. This also allows attackers to retrieve malicious payloads using read-only calls with no visible transaction history on the blockchain.
“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google’s threat hunters Blas Kojusner, Robert Wallace, and Joseph Dobson said in a Thursday report.
As with earlier Contagious Interview campaigns, this one starts with the attackers creating real-looking profiles on LinkedIn and job boards, often impersonating someone who works at a well-known tech or cryptocurrency firm. They use these profiles to reach out to developers with job offers, and if the developers bite the lure, the phony recruiters initiate the interview process.
Typically, this involves establishing a rapport with the job seeker before moving conversations to Telegram or Discord, then they send the victim what purports to be a coding test or project to review, requiring them to download files from GitHub or other repositories.
Of course, these aren’t real tests but rather malware-laced files, and once the job seeker downloads them onto their computer, they kick off a multi-stage infection that ultimately leads to credential and cryptocurrency theft and full-machine compromise.
The initial downloader is typically hosted on the npm registry and it downloads the second-stage JavaScript-based malware – usually BEAVERTAIL and/or JADESNOW – that scans for and steals sensitive data like cryptocurrency wallets, browser extension data, and credentials.
JADESNOW uses EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. This malware is linked to this particular North Korean crew, and according to the Googlers, using it marks “UNC5342’s shift towards EtherHiding to serve up the third-stage backdoor INVISIBLEFERRET.”
This final payload provides the intruders with a more persistent backdoor to the victim’s machine. INVISIBLEFERRET, a JavaScript-based backdoor with an additional Python stealer component, allows the attackers to remotely control compromised computers and use that access for long-term snooping, credential and cryptocurrency theft, and lateral movement.
“EtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and IPs,” the security researchers wrote. “Malware authors may leverage the blockchain to perform further malware propagation stages since smart contracts operate autonomously and cannot be shut down.”
The good news: there are steps administrators can take to prevent EtherHiding attacks, with the first – and most direct – being to block malicious downloads. This typically involves setting policy to block certain types of files including .exe, .msi, .bat, and .dll.
Admins can also set policy to block access to known malicious websites and URLs of blockchain nodes, and enforce safe browsing via policies that use real-time threat intelligence to warn users of phishing sites and suspicious downloads. ®
