North Korean hackers found hiding crypto-stealing malware with Blockchain

• UNC5342 uses blockchain smart contracts to deliver crypto-stealing malware via EtherHiding
• Fake jobs and coding challenges lure developers into triggering the JadeSnow loader and backdoor
• Blockchain’s immutability makes malware hosting resilient

North Korean state-sponsored threat actors are now using public blockchains to host malicious code and deploy malware on target endpoints.

This is according to Google’s Threat Intelligence Group (GTIG), who said they observed UNC5342 using Ethereum and BNB to host droppers and ultimately deploy cryptocurrency-stealing malware against software and blockchain developers.

The technique is called EtherHiding. Instead of sending a malicious file directly to the victim (or otherwise tricking them into downloading it), they encode parts of the malware into blockchain transactions and smart contracts.