Hackers from North Korea have begun using a method to deploy malware aimed at stealing cryptocurrency and sensitive information by embedding harmful code into smart contracts on public blockchain networks, as reported by Google’s Threat Intelligence Group.
This technique, known as “EtherHiding,” surfaced in 2023 and is often paired with social engineering tactics, such as reaching out to potential victims through fake job offers and high-profile interviews, leading users to malicious websites or links, according to Google.
Hackers gain control of a legitimate web address through a Loader Script and embed JavaScript code into the site, activating a separate malicious code package in a smart contract that aims to steal funds and data once the user interacts with the compromised website.
The compromised website communicates with the blockchain network using a “read-only” function that doesn’t create a transaction on the ledger, which allows the threat actors to evade detection and reduce transaction fees, as noted by Google researchers.
The findings emphasize the importance of vigilance within the crypto community to protect users from scams and hacking attempts aimed at stealing funds and valuable information from both individuals and organizations.
Related: CZ’s Google account targeted by ‘government-backed’ hackers
Recognizing the signs: North Korean social engineering strategy unveiled
The attackers create fake companies, recruitment agencies, and profiles to entice software and cryptocurrency developers with bogus job offers, according to Google.
Following the initial approach, the attackers shift the conversation to messaging platforms like Discord or Telegram and encourage the victim to take an employment test or complete a coding assignment.
“The main part of the attack happens during a technical assessment phase,” Google’s Threat Intelligence stated. In this phase, the victim is usually instructed to download harmful files from online code repositories like GitHub, where the malicious payload is stored.
In some cases, the assailants entice the victim into a video call, where a fake error message appears, prompting the user to download a patch to resolve the issue. This software patch also contains malicious code.
Once the malicious software is installed on a device, second-stage JavaScript-based malware called “JADESNOW” is deployed to extract sensitive data.
In select instances, a third stage is launched for high-value targets, giving attackers long-term access to the compromised machine and other systems on its network, as warned by Google.
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
