If you are a software developer looking for a job, North Korean scammers are offering you an off-chain deal, blockchain. According to Google’s Threat Intelligence team, these gangs have recently adopted a technique called EtherHiding, hiding malware in blockchain smart contracts to go unnoticed and ultimately recover victims’ cryptography and credentials.
A squad of Pyongyang thugs that GTIG tracks under the name UNC5342 has been using this method since February in its Contagious Interview campaign, we’re told.
Criminals pose as recruiters and publish fake profiles on social networks, like the Lazarus group’s Operation Dream Job, which encourages job seekers to click on malicious links. But in this case, Norks target software developers, especially those working in cryptocurrencies and technology, tricking them into uploading malware disguised as coding testing and ultimately stealing sensitive information and cryptocurrencies, while gaining long-term access to corporate networks.
Hiding on the blockchain
They do this by using EtherHiding, which involves embedding malicious code into a smart contract on a public blockchain, thereby transforming the blockchain into a decentralized, stealthy command and control server.
Because it is decentralized, there is no central server that law enforcement can take down, and blockchain makes it difficult to trace the identity of who deployed the smart contract. This also allows attackers to retrieve malicious payloads using read-only calls without visible transaction history on the blockchain.
“Essentially, EtherHiding represents an evolution toward next-generation ironclad hosting, where the inherent characteristics of blockchain technology are repurposed for malicious purposes,” Google threat hunters Blas Kojusner, Robert Wallace and Joseph Dobson said in a report released Thursday.
As with previous Contagious Interview campaigns, this one begins by creating realistic profiles on LinkedIn and job boards, often posing as someone who works at a well-known tech or cryptocurrency company. They use these profiles to contact developers with job offers, and if the developers take the bait, the fake recruiters initiate the interview process.
Typically, this involves establishing a relationship with the job seeker before moving conversations to Telegram or Discord, then sending the victim what purports to be a coding test or project to review, requiring them to download files from GitHub or other repositories.
Multi-stage infection
Of course, these are not real tests but rather files containing malware, and once the job seeker downloads them to their computer, they trigger a multi-stage infection that ultimately leads to the theft of credentials and cryptocurrency and the compromise of the entire machine.
The initial downloader is usually hosted on the npm registry and downloads the second-stage JavaScript-based malware – usually BEAVERTAIL and/or JADESNOW – which seeks out and steals sensitive data such as cryptocurrency wallets, browser extension data and credentials.
JADESNOW uses EtherHiding to retrieve, decrypt and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. This malware is linked to this particular North Korean crew and, according to Googlers, its use marks “the move from UNC5342 to EtherHiding to serve the INVISIBLEFERRET third-stage backdoor.”
This final payload provides intruders with a more persistent backdoor into the victim’s machine. INVISIBLEFERRET, a JavaScript-based backdoor with an additional Python theft component, allows attackers to remotely control compromised computers and use this access for long-term surveillance, credential and cryptocurrency theft, and lateral movement.
“EtherHiding presents new challenges as traditional campaigns have typically been disrupted by blocking known domains and IP addresses,” the security researchers wrote. “Malware authors can leverage blockchain to perform further steps of malware propagation because smart contracts operate autonomously and cannot be stopped.”
The good news: There are steps administrators can take to prevent EtherHiding attacks, the first – and most direct – being to block malicious downloads. This usually involves setting a policy to block certain file types, including .exe, .msi, .bat, and .dll.
Administrators can also set policies to block access to known malicious websites and blockchain node URLs, and enforce safe browsing through policies that use real-time threat intelligence to warn users of phishing sites and suspicious downloads. ®