A North Korea-linked hacking group has been tricking people in the crypto industry, especially job seekers, into downloading new malware that steals passwords for crypto wallets and password managers.
According to Cisco Talos, the threat intelligence and cybersecurity research division of Cisco Systems, the malware is a Python-based remote access trojan (RAT) called PylangGhost. It was created by a group known as Famous Chollima, also referred to as Wagemole.
The hackers have mainly targeted individuals in India with cryptocurrency and blockchain experience, using fake job interviews and social engineering tactics to carry out their attacks.
How do they lure victims?
The attackers set up fake job websites that mimic real companies like Coinbase, Robinhood, and Uniswap.
They pretend to be recruiters and send out invitations to fake skill-testing sites, where they collect personal information through a step-by-step process.
In the final phase, victims are asked to turn on their camera and microphone for a fake video interview. During this session, they are tricked into copying and executing malicious commands on their computers, under the pretense of installing video drivers. This gives the hackers control over the victim’s device.
How does the malware work?
Cisco Talos reports that PylangGhost is a variant of a previously known malware called GolangGhost, and it functions in much the same way.
Once installed, it gives attackers full remote access to the victim’s system. It can steal cookies and login credentials from over 80 browser extensions, including popular crypto wallets and password managers such as MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX.
This actually isn’t the first time North Korean-linked hackers have used fake job offers and interviews to target victims.
Back in April, the same group connected to the $1.4 billion Bybit hack, used malware-infected fake recruitment tests to go after crypto developers.