According to Google's Threat Intelligence Group, North Korean hackers have adopted a new type of attack method that embeds malicious code for stealing cryptocurrency and sensitive information within smart contracts on public blockchain networks.

Google pointed out that this technique, named "EtherHiding," emerged in 2023 and is typically used in conjunction with social engineering tactics, such as contacting victims through fake job postings or high-end interviews, guiding users to malicious websites or links.

Hackers control legitimate website addresses with loading scripts and embed JavaScript code within them. When users interact with the infected site, another set of malicious code within the smart contract is triggered, allowing for the theft of funds and data.

Google researchers stated that the infected websites communicate with the blockchain network through "read-only calls," which do not generate transactions on the ledger, helping attackers evade detection and save on transaction fees.

The report emphasizes that the cryptocurrency community needs to remain vigilant against common scams and attack methods to protect the funds and information security of individuals and institutions.

Google noted that threat actors set up fake companies, recruitment agencies, and false profiles specifically targeting software and cryptocurrency developers with fake job postings.

After initial contact, attackers move the communication to messaging platforms like Discord or Telegram and ask victims to participate in employment tests or complete programming tasks.

Google's Threat Intelligence Group indicated that the core of the attack occurs during the technical assessment phase. At this stage, victims are typically asked to download malicious payloads from online code repositories like GitHub, where the payloads are stored.

In other cases, attackers may lure victims into video calls, displaying forged error messages and requesting them to download patches to fix the errors. These patches also carry malicious code.

Once the malware is installed, attackers deploy a second-stage JavaScript malware called "JADESNOW" to steal sensitive data.

Google warns that for high-value targets, attackers may sometimes implement a third-stage attack to achieve long-term access to the infected devices and their network connection systems.

Related: From Rebates to Contract Points: The Next Stop for Cryptocurrency Trading Incentive Mechanisms

Original: “What is EtherHiding? Google Discovers Malware Embedded in Smart Contracts to Steal Cryptocurrency”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。