North Korean Hackers Employ EtherHiding to Distribute Malware via Blockchain Smart Contracts

North Korean state-sponsored hackers have adopted a novel technique known as EtherHiding to distribute malware and facilitate cryptocurrency theft. The Google Threat Intelligence Group (GTIG) has attributed this activity to a threat actor tracked as UNC5342, which is also known by several other names including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi. This marks the first documented instance of a state-backed hacking group leveraging EtherHiding, a method previously described by Guardio Labs in 2023. EtherHiding involves embedding malicious payloads within smart contracts on public blockchains such as Ethereum and Binance Smart Chain (BSC), allowing attackers to host and update malware in a manner that is highly resistant to takedown and difficult to trace. The campaign, codenamed Contagious Interview, targets software and web developers through social engineering, often beginning with fake job offers on LinkedIn. Attackers impersonate recruiters or hiring managers from fabricated entities like BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, and eventually move conversations to platforms like Telegram or Discord. Victims are tricked into running code as part of a technical assessment, which executes a JavaScript downloader. This downloader, known as JADESNOW, interacts with the blockchain to fetch a third-stage payload, typically a JavaScript version of the InvisibleFerret malware, which is designed for long-term espionage. The payload runs in memory and may request additional components from the blockchain, such as credential stealers. The use of smart contracts for payload delivery provides anonymity, flexibility for updating malicious code, and evasion of traditional detection and takedown mechanisms. The attackers' ability to retrieve payloads from either Ethereum or BSC further complicates analysis and defense. The campaign's objectives align with North Korea's dual goals of cyber espionage and financial gain, as the malware is used to steal sensitive data and siphon cryptocurrency assets from compromised developers. The cost to update the malicious payload is minimal, averaging around $1.37 in gas fees, making the technique both economical and scalable for the threat actors. The use of read-only calls to fetch payloads leaves no visible transaction history, enhancing the stealth of the operation. This development represents a significant evolution in the tactics of North Korean cyber operations, demonstrating their increasing sophistication and willingness to exploit decentralized technologies for malicious purposes. Security researchers warn that the resilience and anonymity provided by blockchain-based malware delivery could inspire similar tactics among other threat actors. Organizations are advised to increase vigilance, especially when dealing with unsolicited job offers and technical assessments that require code execution. The campaign underscores the importance of robust security awareness training and technical controls to detect and prevent such advanced social engineering and malware delivery techniques.