A new cyber threat is emerging from North Korea, as state-sponsored hackers experiment with embedding malicious code directly into blockchain networks.
Google’s Threat Intelligence Group (GTIG) reported on October 17 that the technology, called “EtherHiding,” represents a new evolution in how hackers hide, distribute, and control malware across distributed systems.
Sponsored Sponsored
What is EtherHiding?
GTIG explained that EtherHiding allows attackers to weaponize smart contracts and public blockchains such as Ethereum and BNB Smart Chain by using them to store malicious payloads.
Once a piece of code is uploaded to these distributed ledgers, its immutable nature makes it nearly impossible to remove or block the code.
“Smart contracts provide an innovative way to build decentralized applications, and their immutable nature is exploited by EtherHiding to host and serve malicious code in a way that cannot be easily blocked,” GTIG wrote.
In reality, hackers often compromise legitimate WordPress websites by exploiting unpatched vulnerabilities or stealing credentials.
After gaining access, it injects a few lines of JavaScript known as a “loader” into the website’s code. When a visitor opens an infected page, the loader silently connects to the blockchain and retrieves the malware from a remote server.
GTIG noted that because this attack occurs off-chain, it often leaves no visible trace of the transaction and requires little or no fees. This essentially allows attackers to operate undetected.
Sponsored Sponsored
Notably, GTIG tracked the first case of EtherHiding through September 2023. This is when a campaign known as CLEARFAKE appeared that tricked users with fake browser update prompts.
How to prevent attacks
Cybersecurity researchers say the tactic signals a shift in North Korea’s digital strategy from simply stealing cryptocurrencies to using blockchain itself as a stealth weapon.
“EtherHiding represents a transition to the next generation of bulletproof hosting, where the unique capabilities of blockchain technology are repurposed for malicious purposes. This technology highlights the continued evolution of cyber threats as attackers adapt and leverage new technologies to their advantage,” GTIG said.
Citizen Lab senior researcher John Scott-Railton described EtherHiding as an “early-stage experiment.” Combined with AI-driven automation, he warned, future attacks could become much harder to detect.
“We expect attackers will also experiment with targeting systems and apps that process blockchains and loading zero-click exploits directly onto the blockchain…especially if they may be hosted on the same systems or networks that process transactions or have wallets,” he added.
Given the sheer volume of North Korean attackers, this new attack vector could have a serious impact on the cryptocurrency industry.
According to data from TRM Labs, North Korea-related groups have already stolen more than $1.5 billion in crypto assets this year alone. Investigators believe these funds fund North Korea’s military programs and efforts to circumvent international sanctions.
In light of this, GTIG advised crypto users to reduce risk by blocking suspicious downloads and limiting malicious web scripts. The group also urged security researchers to identify and label malicious code embedded within blockchain networks.
