Google reveals North Korea-linked hackers use "Ethereum hiding" techniques for cryptocurrency theft and sensitive information collection

Jinse Finance reported that Google Threat Intelligence Group (GTIG) released investigation results on the 17th, stating that the North Korea-linked hacker group UNC5324 is using a new technique called "Ether Hiding" to steal cryptocurrencies and collect sensitive information. The group emphasized that this investigation is the first time the "Ether Hiding" technique, which uses public decentralized blockchains to hide malware, has been found to be abused by state-sponsored threat actors, which is of significant importance. GTIG detected that UNC5324 lured developers into installing malware through a social engineering attack campaign called "Contagious Interview" by Palo Alto Networks. This attack affected multiple operating systems including Windows, macOS, and Linux through a multi-stage malware infection process. The attackers stored the malware on immutable blockchains and invoked it in a "read-only" manner, thereby continuously issuing control commands and manipulating victim systems anonymously.