- Slow fish target crypto developers with a bad code disguised as stock analysis tools
- The malicious code hides at sight, using GitHub projects and yaml dereialization tips
- The victims without knowing the RN charger and the thief RN through the rigged Python standards
A group of Hackers from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector via Linkedin.
The group, also known as Traderraitor or Jade Sheet, presents itself as recruiters to attract victims with apparently authentic job offers and coding challenges, only to infect their systems with Malveillant Python and JavaScript Code.
Thanks to this campaign, the group was able to steal substantial quantities of cryptocurrency. In 2023 alone, they were linked to more than a billion dollars in stolen funds. A hacking of $ 1.5 billion in a Dubai scholarship and a 308 million dollars flight from a Japanese company are among the recent attacks.
The coders are wary!
After initially sent PDF documents containing work descriptions, the malicious actors follow the coding assignments hosted on Github.
Although these benchmarks seem to be based on legitimate open source projects, they have been secretly modified to include hidden malicious software.
The victims, believing that they finish programming tests, unintentionally allow malicious software like RN Loder and RN Stealer on their systems.
These trapped projects imitate the legitimate tools and applications of developers. For example, Python benchmarks may seem to analyze stock market trends using data from renowned sources, while secretly communicating with the attackers controlled.
The malicious software escapes most detection tools using yaml dereialization, avoiding current functions like Eval or Exec. Once triggered, the charger goes and performs additional useful loads directly in memory, which makes detection or deletion difficult.
One of these useful charges, RN Stealer, is specially designed to exfiltrate identification information, cloud configuration files and stored SSH keys, in particular from macOS systems.
The javascript variants of malware operates in a similar way, using the integrated JavaScript JavaScript model engine to hide the malware, which is only active for targeted victims depending on factors such as IP addresses or browser headers.
Medico-legal analysis shows that malware stores the code in hidden directories and communicates on HTTPS using personalized tokens. However, the investigators could not recover the complete JavaScript payload.
Github and LinkedIn responded by deleting the accounts and the malicious frames involved.
“GitHub and LinkedIn deleted these malicious accounts for violation of our respective service conditions. In our products, we use automated technology, combined with teams of survey and reporting of members, to combat bad players and apply service conditions., We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity, “said companies in a joint declaration.
There is a growing need for caution when approached with remote job offers and coding tests. Developers are advised to use solid antivirus software and run unknown code in secure environments, especially when working in sensitive sectors such as cryptocurrency.
People concerned with security should check that they use the best FDI, which generally include integrated safety features. Staying alert and working on a safe and controlled configuration can considerably reduce the risk of falling cyber players to support the state.
Via unit42
