- Slow Pisces addresses cryptography developers with a bad code disguised as stock analysis tools
- The malicious code hides in sight, using YAML github and deerialization tricks
- The victims install without knowing it Rn Loader and RN Stealer through manipulated python repositories
A group of North Korea computer pirates known as Slow Pisces has launched a sophisticated campaign aimed at developers in the cryptocurrency sector through LinkedIn.
The group, also known as merchant or Aguanieve Jade, is made by recruiters to attract victims with apparently genuine job offers and coding challenges, only to infect their systems with the malicious code of Python and Javascript.
Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrencies. In 2023 alone, they were linked to more than $ 1 billion in stolen funds. A $ 1.5 billion trick in an exchange of Dubai and a theft of $ 308 million of a Japanese company are among recent attacks.
Be careful with the encoders!
After initially sending PDF documents that contain work descriptions, the malicious actors monitor the coding tasks housed in Github.
Although these repositories seem to be based on legitimate open source projects, they have been secretly altered to include hidden malware.
The victims, believing that they are completing the programming tests, involuntarily allow malware such as RN Loader and RN Stealer in their systems.
These projects trapped in the group imitate legitimate developer tools and applications. For example, Python repositories may seem to analyze stock market trends using data from accredited sources, while they secretly communicate with the domains controlled by the attackers.
Malware evades most detection tools through the use of YAML deerialization, avoiding commonly marked functions as Eval or Exec. Once activated, the loader obtains and executes additional useful loads directly in the memory, which makes detection or elimination difficult.
One of those useful loads, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files and stored SSH keys, particularly macious systems.
The malware JavaScript variants work similarly, using the integrated JavaScript template engine to hide the malicious code, which is activated only for specific victims depending on factors such as IP addresses or browser headers.
Forensic analysis shows that malware warehouses are code in hidden directories and communicates through HTTP using custom tokens. However, researchers could not recover the complete JavaScript payload.
Github and LinkedIn have responded by eliminating the malicious accounts and repositories involved.
“Github and LinkedIn eliminated these malicious accounts to violate our respective service terms. In all our products, we use automated technology, combined with research experts and members of members, to combat the bad actors and enforce the terms of service. We continue to evolve and improve our processes and encourage our clients and members to inform any suspicious activity,” the companies said in a joint statement.
There is a growing need for caution when it is addressed with remote job offers and coding tests. Developers are recommended to use strong antivirus software and execute an unknown code in safe environments, particularly when they work in confidential sectors such as cryptocurrency.
Those concerned about security should verify that they are using the best IDE, which generally include integrated security characteristics. Stay alert and work in a safe and controlled configuration can significantly reduce the risk of falling prey to cyber threats backed by the State.
Through the unit42
