A new wave of cyberattacks is exploiting the decentralized nature of blockchain technology. North Korean state-sponsored threat actors, identified as UNC5342, are now using public blockchains like Ethereum and BNB to host malicious code. This innovative, yet dangerous, approach allows them to deploy cryptocurrency-stealing malware onto unsuspecting developers’ systems, according to Google‘s Threat Intelligence Group (GTIG).
NK Hackers Use Blockchain to Hide Crypto Malware: Google
The hackers are embedding parts of the malware into blockchain transactions and smart contracts, instead of directly sending malicious files. This makes detection significantly more difficult. This represents a disturbing trend in cyber warfare. The use of blockchain for malicious purposes highlights the need for enhanced security measures within the cryptocurrency and software development communities, and understanding how to protect your crypto wallet is the first step.
How EtherHiding Works
The “EtherHiding” technique relies on encoding malicious code within blockchain transactions and smart contracts. When a user interacts with these contracts – for example, by clicking a link or connecting a crypto wallet – the embedded code can be triggered. While the smart contract itself doesn’t automatically execute malware, it delivers instructions or code when a user interacts with it. This interaction initiates the download and execution of the malware.
The blockchain’s inherent characteristics make it an ideal platform for hosting and distributing malware. Its public and immutable nature ensures the code is readily accessible and nearly impossible to tamper with. This makes it a highly resilient method of attack. Consider the implications of such attacks when choosing a VPN.
Next-Generation Bulletproof Hosting
Google emphasizes that EtherHiding represents “a shift toward next-generation bulletproof hosting.” Traditional bulletproof hosting services offer anonymity and resilience to malicious actors, but they are often subject to takedowns by law enforcement. Blockchain, however, offers a level of resilience that is difficult to match. As such, it makes it enticing for cybercriminals.
This isn’t the first instance of blockchain being used for malware delivery. The technique has been observed since 2023. Google’s report also mentions UNC5142, a financially motivated actor, employing similar methods. This highlights the growing trend of using blockchain for malicious purposes.
Threat Actor Comparison
| Technique | Actor | Motivation | Blockchain Used |
|---|---|---|---|
| EtherHiding | UNC5342 (North Korea) | Cryptocurrency Theft | Ethereum, BNB |
| Compromised WordPress Sites | UNC5142 | Financial | Various |
