A group of piracy in North Korea is aimed at cryptographic workers with Python -based malware disguised as a false employment application process, Talos Cisco researchers said investigators earlier this week.
Most victims seem to be based on India, according to open source signals, and seem to be individuals with previous experience in Blockchain and cryptocurrency startups.
While Cisco does not inform evidence of internal commitment, the broader risk is still clear: that these efforts are trying to obtain access to companies that these people could join.
The malware, called Pylangghost, is a new variant of the remote access Trojan of the previously documented goalkeeper (Rat), and shares most of the same features, only rewritten in Python to better aim Windows systems.
Mac users continue to be affected by the goal version, while Linux systems seem not to be affected. The threat actor behind the campaign, known as famous Chollima, has been active since mid -2014 and is believed to be a group aligned with RPDC.
Its latest attack vector is simple: supplanting the main cryptographic companies such as Coinbase, Robinhood and UNISWAP through highly polished false professional sites, and attract software engineers, marketing specialists and designers to complete the “skill tests”.
Once an objective fills the basic information and answers the technical questions, they are asked to install false video controllers by sticking a command in their terminal, which silently discharges and releases the Rat based in Python.
The payload is hidden in a ZIP file that includes the renowned Python interpreter (Nvidia.py), a visual basic script to unpack the file and six main modules responsible for persistence, the fingerprints of the system, the transfer of files, the remote access of shell and the theft of data of the browser.
The rat draws login credentials, session cookies and wallet data of more than 80 extensions, including Metamask, Phantom, Tronlink and 1Password.
The command set allows the complete remote control of infected machines, including file loads, downloads, system recognition and the launch of a shell, all routed through HTTP packages encrypted by RC4.
HTTP packages encrypted by RC4 are data sent on the Internet that are stirred using an obsolete encryption method called RC4. Although the connection itself is not safe (HTTP), the data inside are encrypted, but not very well, since RC4 is outdated and easy to break with the current standards.
Despite being a rewriting, the structure and conventions of names of Pylanghost reflect those of Galangghost almost exactly, which suggests that both were probably written by the same operator, said Cisco.
Read more: North Korean computer pirates aimed at cryptographic developers with American Shell companies
