A report from the Google Threat Intelligence Group warned about a malware campaign implemented by North Korea that uses EtherHiding. The campaign uses a smart contract on a public chain, such as Ethereum or BNB, to avoid deletion or removal by traditional methods.
Google: North Korea Uses Blockchain to Distribute Malware
WRITTEN BY
SHARE
Google Warns About North Korea Putting Malware in Public Blockchains
The Facts:
In a report issued on October 16, the Google Threat Intelligence Group alerted about the use of public blockchains to hide malware by nation-state threat actions, including North Korea.
The campaign uses a method called “EtherHiding,” which allows attackers to embed malicious code as part of a smart contract residing in public blockchains like Ethereum and BNB Chain. The method surged in 2023, but Google states that this is the first time that it has observed a state nation adopt it.
EtherHiding also encompasses the expected social engineering campaigns that include setting up fake companies and targeting job profiles linked to the cryptocurrency industry or to known cryptocurrency protocols.
The contagion happens when the interested parties are submitted to programming tests that include downloading infected tools, or through video meeting software downloads.
Google highlights that JADESNOW, a malware used by North Korea that leverages EtherHiding, shows the versatility of these blockchain-based tools. Examining it, the group found that the malicious contract has been updated over 20 times within the first four months, for $1.37 in gas fees per update.
“The low cost and frequency of these updates illustrate the attacker’s ability to easily change the campaign’s configuration.” Google declared.
Why It Is Relevant:
The usage of this kind of technique, where blockchain is used as a distribution mechanism for malware, might prompt regulators to take a harsher approach to the adoption of these technologies.
While malware hosted in a remote server can be targeted and deleted, the immutability of blockchain means that security companies must seek other ways of preventing the spread, targeting API providers that allow transactions to move this code to victims.
Google’s group itself stated that this new approach implies “new challenges” as “ smart contracts operate autonomously and cannot be shut down.”
Looking Forward:
Analysts expect the adoption of this kind of technique to keep growing in the future, and to be combined with other innovative processes to make them even more dangerous, targeting systems that handle blockchains or wallets directly.
FAQ 🧭
-
What recent threat did Google identify regarding public blockchains?
Google reported that nation-state actors, including North Korea, are using a method called “EtherHiding” to embed malware within smart contracts on public blockchains like Ethereum and BNB Chain. -
How does the EtherHiding method work?
EtherHiding allows attackers to hide malicious code within smart contracts and relies on social engineering tactics, such as creating fake companies to lure cryptocurrency-related job seekers. -
What specific malware has been associated with this new technique?
The report highlighted JADESNOW, a North Korean malware that utilizes EtherHiding, showing frequent updates and low operational costs for altering its attack configuration. -
What implications does this technique have for blockchain regulation?
As blockchain’s immutability complicates malware removal, regulators may seek stricter controls over blockchain technologies to mitigate the evolving threat of malware exploitation in cryptocurrency environments.
