North Korean Hackers Hide Malware on Blockchain
▼ Summary
– Google Threat Intelligence Group has identified North Korea’s UNC5342 using a novel “EtherHiding” technique to distribute malware for stealing cryptocurrency and sensitive data.
– This marks the first time a nation-state threat actor has used blockchain to hide malware instructions, making their operations harder to detect and disrupt.
– UNC5342 employs social engineering in its “Contagious Interview” campaign to trick developers into installing malware across Windows, macOS, and Linux systems.
– The malware uses a multi-stage infection process with code stored on an immutable blockchain, allowing attackers to maintain anonymous control and update payloads easily.
– This technique provides resilience against takedowns, signaling an escalation in the threat landscape as noted by Mandiant Google Cloud’s Robert Wallace.
A newly identified hacking technique known as “EtherHiding” is being used by North Korean cyber operatives to conceal malicious software on public blockchain networks, according to findings from Google’s Threat Intelligence Group. This method allows attackers to embed harmful code instructions directly into decentralized, unchangeable blockchain records, making it extremely difficult for authorities to disrupt their activities. The campaign, which researchers have linked to the North Korean threat group UNC5342, specifically targets software developers through deceptive social engineering tactics.
Google’s investigation reveals that UNC5342 is the first state-sponsored hacking unit observed using EtherHiding to distribute malware. The group’s operation, previously identified by Palo Alto Networks as “Contagious Interview,” tricks developers into installing malicious programs by posing as legitimate recruitment or interview opportunities. Once a target interacts with the bait, a multi-stage infection process begins, impacting devices running Windows, macOS, and Linux.
By storing malicious code on the blockchain and using discreet read-only calls to retrieve it, the attackers maintain persistent, anonymous control over compromised systems. This setup allows them to update their malware as needed without relying on conventional servers that can be seized or blocked. The immutable nature of blockchain technology provides a durable and resilient infrastructure for malicious operations, complicating efforts by cybersecurity teams to dismantle the threat.
Robert Wallace, a consulting leader at Mandiant Google Cloud and co-author of the report, emphasized the seriousness of this development. He stated that the adoption of blockchain-based malware distribution by nation-state actors represents a significant escalation in cyber threats. This approach not only resists law enforcement takedowns but also offers attackers the flexibility to quickly adapt their tools for different campaigns, increasing the potential for widespread damage.
The full technical analysis and detailed research are available in Google’s published blog post on the subject.
(Source: ITWire Australia)
