A threat actor associated with North Korea is using sophisticated new malware to target job seekers in the cryptocurrency industry, aiming to steal access credentials for cryptocurrency wallets and password managers.

Cisco Talos reported on June 18 (Wednesday) that they discovered a Python-based remote access trojan (RAT) named "PylangGhost," which is linked to the North Korean hacking group "Famous Chollima" (also known as "Wagemole").

This hacking group primarily conducts fake job interview activities through social engineering, targeting job seekers and professionals in India with cryptocurrency and blockchain experience. "From the advertised positions, it is clear that Famous Chollima is broadly targeting individuals with experience in cryptocurrency and blockchain technology."

The attackers meticulously crafted fake recruitment websites impersonating legitimate companies such as Coinbase, Robinhood, and Uniswap, guiding victims through several carefully designed steps.

The process begins with initial contact from fake recruiters, who send invitations to skill testing websites to collect information.

Subsequently, victims are lured into enabling video and camera access during the so-called "interview," during which they are deceived into copying and executing malicious commands under the pretext of needing to install updated video drivers, ultimately leading to complete control of their devices.

Cisco Talos stated that PylangGhost is a variant of the previously recorded GolangGhost RAT, with both having highly similar functionalities.

Experts analyzed that once executed, these commands can achieve remote control of the infected systems and steal cookies and credentials from over 80 browser extensions.

These targeted extensions include various password managers and cryptocurrency wallets, such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.

The malware is powerful, capable of executing a variety of tasks and numerous commands, including taking screenshots, file management, browser data theft, system information collection, and maintaining persistent remote access to the infected systems.

Researchers also found that based on the analysis of comments within the code, it is unlikely that the threat actor used artificial intelligence large language models to assist in writing this code.

This is not the first time North Korean-related hackers have exploited fake job opportunities and interviews to lure victims.

In April of this year, attackers linked to the $1.4 billion Bybit hack used fake recruitment tests with implanted malware specifically targeting cryptocurrency developers.

Related: Santiment: Bitcoin (BTC) long-short positions diverge, market sentiment falls into "extreme fear" again.

Original article: “North Korea Deploys New Information-Stealing Malware Targeting Cryptocurrency Practitioners”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。