Introduction
In a disturbing development for the cryptocurrency sector, a threat actor with connections to North Korea is deploying malicious software aimed at job seekers in the industry. This new strain of malware, identified as “PylangGhost,” is specifically crafted to compromise passwords for cryptocurrency wallets and password management tools.
Details of the Threat
Cisco Talos, a cybersecurity research group, disclosed these findings on Wednesday, linking the malware to the notorious hacking group known as “Famous Chollima,” also referred to as “Wagemole.”
The primary targets of this operation appear to be individuals with experience in cryptocurrency and blockchain, particularly in India. The cybercriminals are orchestrating deceptive job interview schemes, employing social engineering tactics that involve impersonating reputable companies such as Coinbase, Robinhood, and Uniswap.
Deceptive Practices
An initial contact is made by fraudulent recruiters who provide invitations to phony skill assessment websites where initial data gathering takes place. During these fake job interviews, which are cloaked as legitimate video calls, victims are manipulated into granting video and camera access under the guise of installing updated video drivers. Unwittingly, they execute dangerous commands that lead to their devices being compromised.
Malware Capabilities
Cisco Talos has noted that PylangGhost is a derivative of the previously analyzed GolangGhost RAT, sharing several functionalities, including the ability to achieve remote control over infected devices. Once activated, this malware can:
- Extract cookies and credentials from over 80 browser extensions, specifically targeting password managers and cryptocurrency wallet applications, such as MetaMask, 1Password, and NordPass.
- Take screenshots, manage files, and collect system information.
- Maintain ongoing access to compromised systems.
Despite its sophistication, researchers believe that artificial intelligence was not utilized in the development of this code, based on the internal comments found within it.
Historical Context
This method of using fake job offers to ensnare victims is not novel; North Korean-affiliated hackers have previously employed similar tactics. In April, for instance, a group linked to a massive $1.4 billion heist targeted cryptocurrency developers by presenting them with fake recruitment tests that were embedded with malware.
