Researchers at Group-IB reported on Thursday that a ransomware named DeadLock was first detected in July. DeadLock exploits Polygon smart contracts to rotate and distribute proxy addresses for its command-and-control infrastructure.
Code embedded in the malware calls a specific contract function to update proxy addresses dynamically. After encryption, infected systems receive a ransom note and a threat to sell stolen data if demands go unmet.
Storing proxy addresses on-chain removes a single point of failure and makes takedown difficult. Group-IB warned the method allows many variants and could be dangerous for organizations that do not take it seriously (Ed. note: on-chain records persist across distributed nodes indefinitely).
Weaponizing smart contracts is not new; a technique called “EtherHiding” has appeared previously. A North Korean actor identified as UNC5342 used this approach to embed JavaScript payloads in smart contracts, leveraging blockchain transactions to store and retrieve malicious code, and “This approach essentially turns the blockchain into a decentralized and highly resilient command-and-control (C2) server.”
