A North Korean hacking group targets cryptographic workers with python-based malware disguised as part of a false job application process, Cisco Talos researchers said this week.
Most victims seem to be based in India, according to open source signals, and seem to be people with previous experience in blockchain and cryptocurrency startups.
Although Cisco does not report any evidence of internal compromise, the wider risk remains clear: that these efforts are trying to access the companies that these people could possibly join.
The malicious software, called Pylangghost, is a new variant of Trojan (RAT) (RAT) previously documented, and shares most of the same features – just rewritten in Python to better target Windows systems.
Mac users continue to be affected by the Golang version, while Linux systems do not seem to be affected. The threat actor behind the campaign, known as the famous Chollima, has been active since mid-2010 and is a group aligned by the RPDC.
Their latest attack vector is simple: imitating the best cryptography companies such as Coinbase, Robinhood and Uniswap through false very polite career sites, and attract software engineers, marketing specialists and designers to finish “skill tests”.
Once a target fills basic information and answers technical questions, they were invited to install false video drivers by sticking an order in their terminal, which downloads and quietly launches the Rat based on Python.
The payload is hidden in a zip file which includes the renowned Python (nvidia.py) interpreter, a visual basic script to unpack the archive and six basic modules responsible for the persistence, the digital imprint of the system, the transfer of files, access to the remote shell and the flight of browser data.
The RAT draws the connection identification information, session cookies and portfolio data of more than 80 extensions, including Metamask, Phantom, Tronlink and 1Password.
The command set allows a complete remote control of infected machines, including file downloads, downloads, the reconditioning system and the launch of a shell – all routed via HTTP CRYS RC4 packets.
HTTP encrypted RC4 packets are data sent on the Internet that is blurred using an obsolete encryption method called RC4. Even if the connection itself is not secure (HTTP), the data inside is encrypted, but not very well, because RC4 is obsolete and easily broken according to today’s standards.
Although it is a rewriting, the structure and conventions of denomination of Pylangghost reflect almost exactly those of Golangghost, suggesting that the two were probably written by the same operator, said Cisco.
Read more: North Korean pirates targeting crypto developers with American shell companies
