Nation-State Hackers Use “Bulletproof” Blockchains to Spread Malware
▼ Summary
– North Korean hacking groups are using public cryptocurrency blockchains to distribute malware from “bulletproof” hosts that resist takedowns.
– This technique, called EtherHiding, embeds malware in smart contracts on blockchains like Ethereum to infect targets with credential stealers.
– EtherHiding provides a next-generation, DIY hosting method that is immutable and independent of central authorities due to blockchain features.
– Google researchers describe this as a shift where blockchain technology is repurposed for malicious ends, showing cyber threats’ evolution.
– EtherHiding offers advantages over traditional malware delivery methods, including compromised servers and conventional bulletproof hosting.
State-sponsored hacking collectives, including one operating on behalf of North Korea, have adopted a disturbingly cheap and resilient method for spreading malicious software. They are now concealing malware directly within public cryptocurrency blockchains, effectively creating their own “bulletproof” hosting infrastructure. This approach grants them a platform that is nearly impossible for law enforcement or security experts to dismantle. Historically, such bulletproof hosting relied on servers situated in countries that ignore international legal treaties, often charging criminals high fees for distributing malware, illegal content, or contraband from underground markets.
Google’s Threat Intelligence Group revealed in a recent report that since February, they have tracked at least two separate hacking collectives utilizing this novel technique. Dubbed “EtherHiding,” the process involves embedding malicious code inside smart contracts. These contracts function as self-executing applications that live on blockchains like Ethereum. They automatically enforce agreed-upon terms between parties once specific conditions are met, operating in a theoretically unchangeable and decentralized manner without any central oversight.
Security analysts Blas Kojusner, Robert Wallace, and Joseph Dobson from Google described this development as a significant move toward a new generation of do-it-yourself, tamper-proof hosting. They noted that attackers are now co-opting the fundamental properties of blockchain technology for harmful purposes, highlighting the relentless evolution of digital threats as adversaries find fresh ways to exploit emerging tools.
The benefits of EtherHiding are substantial when compared to older malware distribution channels, which include using traditional bulletproof hosting services or hijacking vulnerable web servers. This method provides attackers with a robust, persistent, and low-cost infrastructure that is inherently resistant to takedown efforts.
(Source: Ars Technica)
