A North Korean hacking faction is reportedly targeting crypto industry professionals by utilizing deceptive job applications accompanied by malicious Python software, as disclosed by researchers at Cisco Talos earlier this week.

Key Details:

• The attackers employ a malware named PylangGhost, derived from the previously recognized GolangGhost, intended to infiltrate businesses by preying on individual workers.
• Victims, primarily located in India, are mostly individuals with prior involvement in blockchain and cryptocurrency sectors.

While Cisco observes no clear signs of internal breaches, they caution that the overarching danger remains as adversaries attempt to breach the firms these professionals might join.

The malware functions by impersonating reputable crypto companies like Coinbase and Uniswap, enticing candidates through detailed fake career websites. Those applying receive prompts to fulfill staged skill evaluations, leading to installation requests for counterfeit video drivers, facilitating the stealthy deployment of the Python-based RAT.

Cyber Threats

The hidden payload comprises a ZIP file incorporating the renamed Python interpreter and various modules aimed at sustaining persistence, system reconnaissance, data theft, and unauthorized remote access.

The RAT is capable of extracting credentials, session data, and wallet information from over 80 browser extensions, including popular tools like MetaMask and 1Password.

Despite its restructured format, the similarities in form and nomenclature between PylangGhost and GolangGhost imply a common origin, as per Cisco’s evaluation.

For further insights, read this piece on the ongoing cyber warfare strategies employed by North Korean hackers.