Malware uses Ethereum smart contracts to evade detection

According to recent research, cybercriminals have developed a sophisticated method to distribute malware through smart contracts on the Ethereum blockchain, bypassing traditional cybersecurity systems. This evolution in cyberattacks has been identified by security researchers from ReversingLabs, who discovered new open-source malware in the Node Package Manager repository (NPM), a vast collection of JavaScript packages and libraries.

A new attack vector in the blockchain

Researcher Lucija Valentić from ReversingLabs highlighted in a technical publication that the malicious packages, called "colortoolsv2" and "mimelib2", use smart contracts on Ethereum to hide malicious commands. These packages, released in July, function as downloaders that obtain command and control server addresses from smart contracts instead of directly hosting malicious links. This approach complicates detection efforts, as the blockchain traffic appears legitimate, allowing malware to install additional software on compromised systems.

The use of Ethereum smart contracts to host URLs where malicious commands are found represents an innovative technique in the distribution of malware. Valentić noted that this method marks a significant shift in strategies to evade detection, as malicious actors increasingly exploit open-source repositories and developers.

Evolution of tactics and historical context

This technique was previously employed by the Lazarus group, linked to North Korea, earlier this year. However, the current approach demonstrates a rapid evolution in the attack vectors used by cybercriminals.

Malicious packages are part of a broader deception campaign that mainly operates through GitHub. The attackers have created fake repositories of cryptocurrency trading bots, presenting them as credible through fabricated commits, fake user accounts, multiple maintainer accounts, and professionally looking project descriptions and documentation. This elaborate social engineering strategy seeks to evade traditional detection methods by combining blockchain technology with deceptive practices.

A Growing Landscape of Threats

In 2024, security researchers have documented 23 malicious campaigns related to cryptocurrencies in open source code repositories. However, this latest attack vector underscores the ongoing evolution of attacks on repositories.

Beyond Ethereum, similar tactics have been employed on other platforms, such as a fake GitHub repository posing as a Solana trading bot, which distributed malware to steal cryptocurrency wallet credentials. Furthermore, hackers have targeted "Bitcoinlib," an open-source Python library designed to facilitate Bitcoin development, further illustrating the diverse and adaptive nature of these cyber threats.

Implications for blockchain security

This new way of using blockchain technology for malicious purposes represents a significant challenge for traditional security systems. By leveraging the decentralized nature and reliability of blockchain networks, attackers can create malicious infrastructures that are difficult to detect and neutralize with conventional tools.

For users of blockchain platforms and developers, this development underscores the importance of implementing additional security measures and conducting thorough checks when interacting with open source code repositories and software packages, especially those related to cryptocurrency applications and decentralized finance.