Smart Contract Malware Insights
Creating or adjusting a smart contract usually costs under $2 per transaction. This is a noteworthy reduction in both costs and efforts when compared to traditional malware distribution methods.
The EtherHiding technique observed involved social engineering, particularly using fake job listings to attract targets, many of whom were developers of cryptocurrency applications and online services. As part of the selection process, candidates had to complete a test to showcase their coding or code review abilities. Unfortunately, the files for the test included harmful code.
The infection chain is built through several stages of malware installation. The final payloads are executed via smart contracts that hackers host on the Ethereum and BNB Smart Chain blockchains, allowing uploads from any user.
In one scenario, a North Korea-linked group identified as UNC5342 uses an early-stage malware known as JadeSnow to acquire more advanced malware from both the BNB and Ethereum blockchains. Google researchers noted the following:
It’s not common for threat actors to operate across multiple blockchains for EtherHiding endeavors. This could suggest that there’s some fragmentation in North Korea’s cyber operatives. Furthermore, these campaigns often take advantage of EtherHiding’s adaptability to update their infection methods and alter where they deliver their payloads. For instance, the JADESNOW downloader can shift from retrieving payloads on Ethereum to those on the BNB Smart Chain. This not only complicates analysis but also utilizes the lower transaction fees available on alternative networks.
Additionally, researchers found that another financially motivated group, UNC5142, also engaged in EtherHiding.
North Korea’s hacking skills, once thought to be rudimentary, have evolved significantly over the last decade. The country has initiated numerous high-profile attacks that showcase a marked improvement in capability, focus, and resources. Just two weeks ago, blockchain analysis firm Elliptic reported that nation-states are projected to steal over $2 billion in cryptocurrencies by 2025.
