North Korean Cyber Threat Targets Crypto Job Seekers with Advanced Malware
In a concerning development for the cryptocurrency industry, a North Korean-aligned cyber threat actor has been actively targeting job seekers with a sophisticated new malware, designed specifically to steal passwords from crypto wallets and password managers. This alarming revelation was made by Cisco Talos on Wednesday, highlighting the discovery of a new Python-based remote access trojan (RAT) dubbed “PylangGhost.” The malware has been linked to a North Korean-affiliated hacking group known as “Famous Chollima,” also referred to as “Wagemole.”
The hacking collective has been focusing its attacks on individuals with cryptocurrency and blockchain expertise, primarily targeting professionals in India. These attacks are being conducted through cleverly disguised fake job interview campaigns, leveraging social engineering techniques to deceive their victims.
Fake Job Sites and Skill Tests: A Cover for Malware Infiltration
The attackers employ fraudulent job websites that mimic legitimate companies such as Coinbase, Robinhood, and Uniswap. Victims are led through an intricate multi-step process, beginning with initial contact from fake recruiters who invite them to participate in skill-testing websites where critical information is harvested.
Subsequently, the victims are persuaded to enable video and camera access under the guise of participating in fake interviews. During this process, they are tricked into executing malicious commands, purportedly to update video drivers, which compromises their devices.
PylangGhost: A Direct Threat to Crypto Wallets
PylangGhost, a variant of the previously documented GolangGhost RAT, exhibits similar capabilities, according to Cisco Talos. Upon execution, the malware facilitates remote control of the victim’s system, enabling the theft of cookies and credentials from over 80 browser extensions. These extensions include popular password managers and cryptocurrency wallets such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
Multitasking Malware with Extensive Capabilities
The PylangGhost malware is not limited to stealing credentials alone. It is capable of executing a wide range of commands, including taking screenshots, managing files, stealing browser data, collecting system information, and maintaining persistent remote access to the infected systems.
Related: Scammers use fake crypto jobs, ‘GrassCall’ meeting app to drain wallets
Interestingly, researchers noted that it was unlikely the threat actors utilized an artificial intelligence large language model to assist in writing the malware code, based on the comments found within it.
History Repeats: Fake Job Lures Not a New Tactic
This is not the first time North Korean-linked hackers have deployed fake job and interview schemes to ensnare victims. In April, hackers associated with the $1.4 billion Bybit heist targeted crypto developers using malware-laden fake recruitment tests.
Magazine: Arthur Hayes doesn’t care when his Bitcoin predictions are totally wrong
For further details on this emerging threat, you can read the full report on Cointelegraph.
