North Korean Hackers Leverage EtherHiding: Malware Distribution via Blockchain Smart Contracts

North Korean hackers have taken malware distribution to a new level by embedding malicious code directly into blockchain smart contracts—a technique known as EtherHiding. This approach, first detailed by Guardio Labs in 2023, leverages the decentralized and immutable nature of blockchains like Ethereum and Binance Smart Chain. By hiding malware within smart contracts, attackers gain a stealthy, low-cost, and highly resilient infrastructure for delivering payloads.

What makes EtherHiding especially alarming is its blend of technical innovation and classic social engineering. North Korean operators have lured developers with fake job interviews, using fabricated companies such as BlockNovas LLC and SoftGlide LLC. Unsuspecting candidates are tricked into running code as part of a technical assessment, unwittingly launching a chain of malware downloads that can steal credentials, exfiltrate files, and maintain persistent access—all while evading traditional detection methods. The use of blockchain not only complicates takedown efforts but also allows attackers to update their campaigns frequently and cheaply, with some contracts being modified over 20 times in just four months for as little as $1.37 per update (GTIG).

Understanding EtherHiding

Mechanism of EtherHiding

EtherHiding is a sophisticated malware distribution technique that leverages smart contracts on public blockchains, such as the Binance Smart Chain or Ethereum, to embed and distribute malicious payloads. This method was first described by Guardio Labs in 2023. The process involves embedding malware within smart contracts, which are then deployed on the blockchain. This allows threat actors to host malicious scripts that can be retrieved as needed. The use of blockchain technology provides anonymity, resistance to takedown actions, and allows for flexible payload updating at a very low cost. The payloads can be fetched through read-only calls, leaving no visible transaction history, thus adding an additional layer of stealth to the process.

Operational Advantages of EtherHiding

The operational advantages of EtherHiding are significant. The use of blockchain technology ensures that the malware distribution process is both cost-effective and difficult to disrupt. For instance, the transaction details of a particular campaign showed that the smart contract was updated over 20 times within the first four months, with each update costing an average of $1.37 USD in gas fees (GTIG). This low cost and high frequency of updates illustrate the attacker’s ability to easily change the campaign’s configuration. Moreover, the use of multiple blockchains for EtherHiding activity, such as both Ethereum and the BNB Smart Chain, complicates analysis and may indicate operational compartmentalization between teams of North Korean cyber operators.

Social Engineering Tactics

North Korean hackers have been known to employ social engineering tactics as part of their EtherHiding operations. These attacks typically begin with fake job interviews, a hallmark of DPRK’s social engineering strategies. Carefully fabricated entities, such as BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, are used to target software and web developers. The victim is tricked into running code as part of the interview’s technical assessment, which executes a JavaScript downloader. This downloader is the initial stage of the infection chain, leading to the deployment of further malicious payloads.

Payload Delivery and Execution

The payload delivery mechanism in EtherHiding is both innovative and stealthy. The smart contract hosts a downloader, referred to as JADESNOW, which interacts with Ethereum to fetch the third-stage payload. This payload is a JavaScript version of the InvisibleFerret malware, typically used for long-term espionage (GTIG). The payload runs in memory and may request additional components from Ethereum, such as a credential stealer. This component targets sensitive information, including passwords, credit card details, and cryptocurrency wallet information stored on web browsers like Chrome and Edge. The malware operates in the background, listening for incoming commands from its command and control (C2) server, which can include executing arbitrary commands and exfiltrating files to an external server or Telegram.

Implications for Cybersecurity

The adoption of EtherHiding by North Korean threat actors represents a notable development in the field of cybersecurity. The technique creates significant challenges for campaign tracking and disruption. The use of blockchain technology for malware distribution is a relatively new phenomenon, and its implications are still being understood. The anonymity and resistance to takedown actions provided by blockchain technology make it an attractive option for threat actors. As such, individuals and organizations must remain vigilant and cautious, particularly when dealing with unsolicited job offers that require downloading and executing files. Testing files in isolated environments before execution is a recommended precaution to mitigate the risk of infection.

In conclusion, EtherHiding is a sophisticated and stealthy method of malware distribution that leverages the unique properties of blockchain technology. Its adoption by North Korean hackers highlights the evolving nature of cyber threats and the need for continued vigilance and adaptation in cybersecurity practices.

Final Thoughts

The rise of EtherHiding marks a pivotal moment in the evolution of cyber threats. By weaponizing blockchain technology, North Korean hackers have demonstrated how traditional security models can be outmaneuvered by creative, persistent adversaries. This technique’s resilience, anonymity, and adaptability make it a formidable challenge for defenders, especially as attackers continue to refine their social engineering tactics and payload delivery mechanisms (Guardio Labs, 2023).

For organizations and individuals alike, the lesson is clear: vigilance is essential, especially when dealing with unsolicited job offers or requests to execute unfamiliar code. Testing files in isolated environments and staying informed about emerging threats like EtherHiding are crucial steps in defending against this new breed of cyberattack. As blockchain, AI, and IoT technologies continue to reshape the digital landscape, cybersecurity strategies must evolve in tandem to anticipate and counteract these sophisticated threats.

References

• North Korean hackers use ‘EtherHiding’ to hide malware on the blockchain. (2023). BleepingComputer. https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-etherhiding-to-hide-malware-on-the-blockchain/