In a clever and hard to see at first but indeed creepy turn of offshore software design for a decentralized financial system (i.e. a tamper-proof way to spend money) is actually going to be an amazing weapon for e-criminals. Security researchers in Google’s Threat Intelligence Group have detected a new attack vector they are calling “EtherHiding” where hackers have learned to embed malicious destructive code directly into a public blockchain like Ethereum and the BNB Smart Chain. This method relies on the fact that it can turn the public blockchain in an unkillable “safehouse” for all malware, giving them a secure and sufficiently resilient delivery method which no one normal understanding of law and order can shut down!
A New Breed of ‘Bulletproof’ Hosting
Cybercriminals have long relied on “bulletproof hosting,” or servers in areas with relative law enforcement, as locations that are often hard to shut down. EtherHiding, however, is the next evolution of this concept. Instead of relying on a physical server that can eventually be found and unplugged, attackers are deploying their malware as part of a smart contract.
A smart contract is a compact, self executing program which runs on the blockchain. Once in effect its code is immutable; it cannot be modified or deleted. By inserting their malware in one of these contracts they have created a permanent, decentralised host for their malicious code. There is no single point of failure, no centralised administrator or “off” switch.
The Attack Chain: From Fake Jobs to Malicious Code
Per Google’s report, this isn’t just a theory; it’s in action and being used in real-world advanced campaigns. One group, named UNC5342, who has connections to North Korea, is utilizing EtherHiding as an element of a social engineering campaign called “Contagious Interview.”
Here’s how it works: The attackers pose as recruiters and contact software developers with enticing (but fake) job offers. During the “interview,” the developer is requested to download and execute a file in most cases it’s coding assignment or technical test. This initial file is a downloader, a piece of malware Google calls “JadeSnow.”
Once activated, JadeSnow doesn’t connect to a traditional, suspicious web server. On the contrary, it passes a subtle query to the public blockchain, drawing the actual malware—specifically a backdoor associated with “INVISIBLEFERRET”—from the smart contract. This second-stage payload at this point infects the system, allowing attackers to extract credentials, drain cryptocurrency wallets, and surveille the victim.
Why the Blockchain is the Perfect Hiding Spot
This approach works alarmingly well for several reasons. First, it is incredibly unobtrusive. The malware downloader uses “read-only calls” to retrieve the code. Because such a query does not produce new transactions to the blockchain, it leaves no public record and costs the attacker nothing in “gas fees.”
Second, it’s resilient. Even if a smart contract is identified as malicious, it cannot be removed. Attackers have even designed their contracts to be updatable. While the base code is immutable, they can change the data it points to, allowing them to update their malware or change its target at any time, all for a transaction fee of less than $2.
The State-Sponsored Connection
While financially motivated criminals (like the group UNC5142) have been seen using similar methods, Google notes this is the first time a nation-state actor has adopted the technique. The participation of the UNC5342 group, which is linked to North Korea, is a clear escalation. This effort is linked to a large, state-sponsored effort to financing the regime through cybercrime. Estimates from blockchain analysis companies suggest that efforts will have generated in excess of $2 billion already.
A New Front in the Cybersecurity War
The emergence of EtherHiding poses a significant dilemma for cybersecurity defenders. Standard security solutions are designed to block abusive IPs and domains. They do not scan all of a centralized blockchain for potential malicious code.
While the blockchain itself is decentralized, the attackers still rely on centralized API providers to interact with it. Google has stated it is working with these providers to try and curb the activity. However, this cat-and-mouse game has clearly moved to a new, more complex battlefield. As attackers leverage the tools of the future, security teams are in a race to find new ways to defend against them.
