A recently-discovered ransomware dubbed “DeadLock” is stealthily exploiting Polygon smart contracts to rotate and distribute proxy addresses, say researchers at cybersecurity firm Group-IB.
The company reported on Thursday that the DeadLock ransomware, first discovered in July, has seen “low exposure” as it isn’t tied to any known data leak site or affiliate programs and has a “limited number of reported victims.”
However, Group-IB warned that even though the ransomware is “low profile,” it uses “innovative methods” that could be dangerous to organizations that don’t take the malware seriously, “especially since the abuse of this specific blockchain for malicious purposes has not been widely reported.”
DeadLock leverages Polygon smart contracts to store and rotate proxy server addresses used to communicate with victims. Code embedded in the ransomware interacts with a specific smart contract address and uses a function to dynamically update command-and-control infrastructure.
Once victims have been infected with the malware and encryption has occurred, DeadLock threatens them with a ransom note and the selling of stolen data if their demands are not met.
Infinite variants of the technique can be applied
By storing proxy addresses on-chain, Group-IB said DeadLock creates infrastructure that is extremely difficult to disrupt, as there is no central server to take down, and blockchain data persists indefinitely across distributed nodes worldwide.
Related: Hackers find new way to hide malware in Ethereum smart contracts
“This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit,” it added.
North Korean threat actors found “EtherHiding”
Weaponizing smart contracts for malware dissemination is not new, with Group-IB noting a tactic called “EtherHiding” that Google reported in October.
A North Korean threat actor dubbed “UNC5342” used this technique, “which consists of leveraging transactions on public blockchains to store and retrieve malicious payloads,” it said.
EtherHiding involves embedding malicious code, often in the form of JavaScript payloads, within a smart contract on a public blockchain, explained Google at the time.
“This approach essentially turns the blockchain into a decentralized and highly resilient command-and-control (C2) server.”
Magazine: Trump rules out SBF pardon, Bitcoin in ‘boring sideways’: Hodler’s Digest
