Cybersecurity researchers from ReversingLabs have uncovered a new dangerous trend in cyber threats involving the use of Ethereum smart contracts to hide malware.
Discovery of Malicious Packages
Cybersecurity researchers at ReversingLabs discovered two fake JavaScript packages named 'colortoolsv2' and 'mimelib2' in the Node Package Manager (NPM). These packages, added in July, hide their malicious instructions within Ethereum smart contracts. According to ReversingLabs researcher Lucija Valentić, these packages act as downloaders, extracting command and control server addresses from the Ethereum blockchain.
New Attack Methods by Hackers
Hackers, including the North Korean-linked Lazarus Group, have previously used Ethereum smart contracts to disseminate malware. However, the new tactic involves hiding web addresses (URLs) within Ethereum smart contracts, directing victims to download malicious software. Valentić explained that this approach makes it harder for security systems to detect, as blockchain traffic appears legitimate, masking malicious activity.
Complications in Combating Malware
In 2024, security experts found 23 scams involving cryptocurrencies on open-source code platforms, where hackers concealed malware. According to Valentić, this new type of attack indicates that scams are becoming more sophisticated. Furthermore, in April, hackers created a fake GitHub project pretending to be a Solana trading bot, which secretly installed malware to steal cryptocurrency wallet information.
The discovered methods underline how quickly hackers are developing new approaches to bypass security systems, posing a threat not only to developers but also to end users of open-source code.
