A North Korean-aligned threat actor has been targeting job seekers in the crypto industry with new malware that is designed to steal passwords for crypto wallets and password managers.
Cisco Talos reported on Wednesday that it found a new Python-based remote access trojan (RAT) it called “PylangGhost,” linking the malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole.”
The hacking group has been targeting job seekers and employees with cryptocurrency and blockchain experience, primarily in India, with the attacks carried out through fake job interview campaigns using social engineering.
“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies.”
Fake job sites and tests a cover for malware
The attackers create fraudulent job sites that impersonate legitimate companies, such as Coinbase, Robinhood and Uniswap, and victims are guided through a multi-step process.
This includes initial contact from fake recruiters who send invites to skill-testing websites where the information gathering occurs.
Next, the victims are lured into enabling video and camera access for fake interviews during which they are tricked into copying and executing malicious commands under the pretense of installing updated video drivers, resulting in the compromise of their device.
Payload targets crypto wallets
PylangGhost is a variant of the previously documented GolangGhost RAT, and shares similar functionality, Cisco Talos said.
Upon execution, the commands enable remote control of the infected system and the theft of cookies and credentials from over 80 browser extensions, it reported.
These include password managers and cryptocurrency wallets, including MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX.
Multitasking malware
The malware can carry out other tasks and execute numerous commands, including taking screenshots, managing files, stealing browser data, collecting system information and maintaining remote access to infected systems.
Related: Scammers use fake crypto jobs, ‘GrassCall’ meeting app to drain wallets
The researchers also noted that it was unlikely that the threat actors used an artificial intelligence large language model to help write the code, based on the comments made within it.
Fake job lures not new
It is not the first time North Korean-linked hackers have used fake jobs and interviews to lure their victims.
In April, hackers linked to the $1.4 billion Bybit heist were targeting crypto developers using fake recruitment tests infected with malware.
Magazine: Arthur Hayes doesn’t care when his Bitcoin predictions are totally wrong
