Used in North Korean fake recruitment campaigns: As opposed to other nation-state actors, North Korean APT groups are known to conduct cybercriminal activity in addition to cyberespionage, because their goal includes gathering funds for the regime.One way they do this is by stealing cryptocurrency from companies and individuals. Between 2017 and 2023, it is estimated that North Korea generated $1.7 billion from cryptocurrency thefts.This has also been the task of UNC5342, which has been behind social engineering campaigns that lure software developers with fake job applications on LinkedIn and recruitment websites.The fake recruiters move the conversation with candidates to Discord or Telegram and ask them to take a technical assessment that involves downloading poisoned code repositories from GitHub. In other variations, candidates are invited to a video interview, then a ClickFix-type error message is displayed that requires them to download software to fix a problem.The first-stage malware is usually malicious JavaScript code hosted in a rogue npm repository. Its purpose is to download and deploy second-stage trojans that steal cryptocurrency wallets, browser extension data, and locally stored credentials. GTIG calls this first-stage malware the JADESNOW downloader.”JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum,” the researchers said. “The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.”Furthermore, the INVISIBLEFERRET backdoor’s code might be split across different smart contracts, and when executed, it might download additional payloads stored at different blockchain addresses, such as a Python-based information stealer.The malicious JavaScript downloader used by UNC5342 queries the Ethereum or BNB chains through several blockchain explorer API services, often with free API keys. While some of these services might respond to takedown requests, others are non-responsive. But using third-party API services is not the only way to read or trigger smart contracts, as demonstrated by separate threat actor UNC5142.
The ClickFix campaigns: The UNC5142 cybercriminal group has been known for distributing infostealer programs since 2023 using fake Google Chrome update pop-ups displayed to visitors on compromised websites. These fake browser update pop-ups were generated through a malicious JavaScript framework that ProofPoint researchers previously dubbed CLEARFAKE.Google’s researchers have tracked an evolution of this framework they call CLEARSHORT, which downloads additional malicious payloads from smart contracts deployed on the BNB Smart Chain.”The CLEARSHORT landing page leverages ClickFix, a popular social engineering technique aimed at luring victims to locally run a malicious command using the Windows Run dialog box,” the researchers said.UNC5142 primarily targets WordPress websites. Google has tracked more than 14,000 web pages that display signs of compromise by UNC5142, which injects its malicious code into existing WordPress plugins, themes, or databases.The malicious CLEARSHORT code leverages Web3.js, a library that allows interaction with Ethereum nodes over different web-based protocols such as HTTP, IPC, or WebSocket. This library is used to connect to the BNB Smart Chain through a public node.UNC5142’s use of smart contracts has evolved over time from storing the payload in a single contract to now splitting different attack components into three separate ones, enabling different parts of the attack to be upgraded individually.”This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” the researchers said. “A stable, unchangeable proxy forwards calls to a separate second-level contract that can be replaced to fix bugs or add features.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074916/north-korean-threat-actors-turn-blockchains-into-malware-delivery-servers.html
