“JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum,” the researchers said. “The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.”
Furthermore, the INVISIBLEFERRET backdoor’s code might be split across different smart contracts, and when executed, it might download additional payloads stored at different blockchain addresses, such as a Python-based information stealer.
The malicious JavaScript downloader used by UNC5342 queries the Ethereum or BNB chains through several blockchain explorer API services, often with free API keys. While some of these services might respond to takedown requests, others are non-responsive. But using third-party API services is not the only way to read or trigger smart contracts, as demonstrated by separate threat actor UNC5142.
