Today's Core Dump is brought to you by ThreatPerspective

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

Context

SHA256 Hash (ZIP Archive)

970307708071c01d32ef542a49099571852846a980d6e8eb164d2578147a1628

ZIP archive containing the initial downloader, in this case JADESNOW.

SHA256 Hash (Initial JavaScript Downloader)

01fd153bfb4be440dd46cea7bebe8eb61b1897596523f6f6d1a507a708b17cc7

JADESNOW sample to launch infection chain.

BSC Address (Smart Contract)

0x8eac3198dd72f3e07108c4c7cff43108ad48a71c

BNB Smart Chain contract used by UNC5342 to host the second-stage JADESNOW payload.

BSC Address (Attacker-Controlled)

0x9bc1355344b54dedf3e44296916ed15653844509

Owner address of the malicious BNB Smart Chain contract.

Ethereum Transaction Hash (INVISIBLEFERRET.JAVASCRIPT Payload)

0x86d1a21fd151e344ccc0778fd018c281db9d40b6ccd4bdd3588cb40fade1a33a

Transaction storing the INVISIBLEFERRET.JAVASCRIPT payload.

Ethereum Transaction Hash (INVISIBLEFERRET.JAVASCRIPT Split Payload)

0xc2da361c40279a4f2f84448791377652f2bf41f06d18f19941a96c720228cd0f

Transaction storing the split INVISIBLEFERRET.JAVASCRIPT payload

Ethereum Transaction Hash (INVISIBLEFERRET Credential Stealer Payload)

0xf9d432745ea15dbc00ff319417af3763f72fcf8a4debedbfceeef4246847ce41

Transaction storing the additional INVISIBLEFERRET.JAVASCRIPT credential stealer payload.

rule G_Downloader_JADESNOW_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "global['_V']" $s2 = "global['r']" $s3 = "umP" $s4 = "mergeConfig" $s5 = "charAt" nocase condition: uint16(0) != 0x5A4D and filesize < 10KB and #s3 > 2 and #s5 == 1 and all of them }